Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report K7dGM0P0yz

Overview

General Information

Sample Name:K7dGM0P0yz (renamed file extension from none to dll)
Analysis ID:492437
MD5:2955d4759afce09a41c1df5b108f0287
SHA1:11e277c3c987b4119909dd099a5f901e074698e3
SHA256:97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Contains functionality to get notified if a device is plugged in / out
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Contains functionality to read device registry values (via SetupAPI)
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7076 cmdline: loaddll64.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 7068 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7144 cmdline: rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • bdechangepin.exe (PID: 6036 cmdline: C:\Windows\system32\bdechangepin.exe MD5: 013D00A367D851B0EC869F209337754E)
        • bdechangepin.exe (PID: 6932 cmdline: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe MD5: 013D00A367D851B0EC869F209337754E)
        • rdpinit.exe (PID: 4824 cmdline: C:\Windows\system32\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)
        • rdpinit.exe (PID: 6476 cmdline: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)
        • wlrmdr.exe (PID: 1088 cmdline: C:\Windows\system32\wlrmdr.exe MD5: 4849E997AF1274DD145672A2F9BC0827)
        • wlrmdr.exe (PID: 5984 cmdline: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe MD5: 4849E997AF1274DD145672A2F9BC0827)
        • rdpclip.exe (PID: 1332 cmdline: C:\Windows\system32\rdpclip.exe MD5: 1690E3004F712C75A2C9FF6BCDE49461)
        • rdpclip.exe (PID: 2820 cmdline: C:\Users\user\AppData\Local\I0o\rdpclip.exe MD5: 1690E3004F712C75A2C9FF6BCDE49461)
        • AgentService.exe (PID: 2328 cmdline: C:\Windows\system32\AgentService.exe MD5: F7E36C20DB953DFF4FDDB817904C0E48)
        • AgentService.exe (PID: 1808 cmdline: C:\Users\user\AppData\Local\eF0\AgentService.exe MD5: F7E36C20DB953DFF4FDDB817904C0E48)
        • dccw.exe (PID: 6372 cmdline: C:\Windows\system32\dccw.exe MD5: 341515B9556F37E623777D1C377BCFAC)
        • dccw.exe (PID: 3864 cmdline: C:\Users\user\AppData\Local\Fox\dccw.exe MD5: 341515B9556F37E623777D1C377BCFAC)
        • dpapimig.exe (PID: 6960 cmdline: C:\Windows\system32\dpapimig.exe MD5: EE7DB7B615B48D8F9F08FAE70CAF46D7)
        • dpapimig.exe (PID: 404 cmdline: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe MD5: EE7DB7B615B48D8F9F08FAE70CAF46D7)
        • GamePanel.exe (PID: 5180 cmdline: C:\Windows\system32\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
        • GamePanel.exe (PID: 4488 cmdline: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
        • RdpSaUacHelper.exe (PID: 4768 cmdline: C:\Windows\system32\RdpSaUacHelper.exe MD5: DA88A7B872B1A52F2465D12CFBA4EDAB)
        • RdpSaUacHelper.exe (PID: 5920 cmdline: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe MD5: DA88A7B872B1A52F2465D12CFBA4EDAB)
        • osk.exe (PID: 960 cmdline: C:\Windows\system32\osk.exe MD5: 88B09DE7D0DF1D2E9BCA9BAE1346CB23)
    • rundll32.exe (PID: 5516 cmdline: rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaint MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6800 cmdline: rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedback MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.674588856.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000027.00000002.1020058745.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      0000001E.00000002.903179432.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000014.00000002.812981764.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          0000001B.00000002.874877392.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 9 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: K7dGM0P0yz.dllVirustotal: Detection: 62%Perma Link
            Source: K7dGM0P0yz.dllMetadefender: Detection: 65%Perma Link
            Source: K7dGM0P0yz.dllReversingLabs: Detection: 77%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: K7dGM0P0yz.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\I0o\dwmapi.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\vh7jtu\WINSTA.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\Fox\dxva2.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\I0o\dwmapi.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\I0o\dwmapi.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1C2D94 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,20_2_00007FF6CE1C2D94
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9584C10 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CryptBinaryToStringW,CryptBinaryToStringW,NtClose,27_2_00007FF7B9584C10
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C8534 CryptDestroyHash,CryptReleaseContext,37_2_00007FF66A2C8534
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C874C CryptHashData,37_2_00007FF66A2C874C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C88F8 CryptHashData,37_2_00007FF66A2C88F8
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C8598 CryptAcquireContextW,CryptCreateHash,37_2_00007FF66A2C8598
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C8610 CryptGetHashParam,memset,37_2_00007FF66A2C8610
            Source: K7dGM0P0yz.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: dccw.pdbGCTL source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
            Source: Binary string: dccw.pdb source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
            Source: Binary string: dpapimig.pdbGCTL source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
            Source: Binary string: bdechangepin.pdb source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
            Source: Binary string: rdpclip.pdbGCTL source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
            Source: Binary string: bdechangepin.pdbGCTL source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
            Source: Binary string: rdpinit.pdb source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
            Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
            Source: Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
            Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
            Source: Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
            Source: Binary string: AgentService.pdbGCTL source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
            Source: Binary string: rdpclip.pdb source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
            Source: Binary string: AgentService.pdb source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
            Source: Binary string: dpapimig.pdb source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
            Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958603C GetModuleHandleExW,memset,RegisterClassW,CreateWindowExW,GetLastError,memset,RegisterDeviceNotificationW,GetLastError,memset,RegisterDeviceNotificationW,GetLastError,UnregisterDeviceNotification,UnregisterDeviceNotification,27_2_00007FF7B958603C
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,0_2_000000014005D290
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95B2380 memset,memset,memset,wcschr,wcsrchr,FindNextFileW,FindFirstFileW,FindNextFileW,GetLastError,wcsrchr,FindClose,LocalFree,LocalAlloc,GetLastError,GetLastError,FindClose,FindClose,LocalFree,27_2_00007FF7B95B2380
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B679110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,30_2_00007FF71B679110
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/ifg0es
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/imfx4k
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/imrx2o
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/v5do45
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/w5ryqn
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
            Source: GamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://aka.ms/wk9ocd
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/%ws
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
            Source: GamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/api/v1/broadcasts/current
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%d
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%ws
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/chats/%.0f
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/users/current
            Source: GamePanel.exeString found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
            Source: GamePanel.exeString found in binary or memory: https://www.xboxlive.com
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526DA68 GetObjectW,GetLastError,GetWindowRect,GetLastError,GetDC,GetLastError,CreateCompatibleDC,GetLastError,SelectObject,CreateCompatibleDC,GetLastError,SetStretchBltMode,GetLastError,CreateCompatibleBitmap,GetLastError,SelectObject,StretchBlt,GetLastError,SendMessageW,DeleteObject,ReleaseDC,DeleteDC,DeleteDC,DeleteObject,32_2_00007FF7D526DA68
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A3045E0 UiaReturnRawElementProvider,GetRawInputData,GetMessageExtraInfo,GetMessageExtraInfo,SendMessageW,SendMessageW,MulDiv,#413,Concurrency::cancel_current_task,37_2_00007FF66A3045E0

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000008.00000002.674588856.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.1020058745.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.903179432.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.812981764.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.874877392.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.681792937.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.965505490.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.931145989.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.847453673.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.666466905.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.786920888.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.749176319.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.992899569.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400348700_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400352700_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC00_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C3400_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B800_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B00_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B00_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC00_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD400_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B00_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F300_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400690100_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400010100_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400660200_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F8400_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D8500_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400640800_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400108800_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A00_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D00_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D00_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400161000_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D1000_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A1100_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D9100_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400151200_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B1200_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F9400_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400391400_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400231400_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400579500_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E1700_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400029800_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A00_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A00_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A00_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B00_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D00_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F00_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA000_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A000_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B2200_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A400_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A500_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A600_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC00_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E00_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B000_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400183000_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB200_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400313400_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400223400_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B400_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB400_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB600_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400053700_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB800_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B3900_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA00_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB00_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C00_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C00_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD00_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F00_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF00_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4240_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4360_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400244400_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C400_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4460_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F4900_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D000_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400355200_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D200_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400305300_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400235300_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400315400_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400335400_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD500_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400785700_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400195800_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A00_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB00_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC00_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C00_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE00_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF00_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF00_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400016200_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400186300_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400326500_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E800_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E800_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA00_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B00_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB00_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C00_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC00_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED00_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E00_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F200_2_0000000140053F20
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF63698336416_2_00007FF636983364
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF63698226416_2_00007FF636982264
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF63698664016_2_00007FF636986640
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1D178020_2_00007FF6CE1D1780
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1CD87C20_2_00007FF6CE1CD87C
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EE12C20_2_00007FF6CE1EE12C
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1FA90820_2_00007FF6CE1FA908
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F8E0020_2_00007FF6CE1F8E00
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1C2EA420_2_00007FF6CE1C2EA4
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EE68820_2_00007FF6CE1EE688
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EFC6C20_2_00007FF6CE1EFC6C
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1DFCF020_2_00007FF6CE1DFCF0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F4CD020_2_00007FF6CE1F4CD0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F197820_2_00007FF6CE1F1978
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1FB1C020_2_00007FF6CE1FB1C0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F8A4020_2_00007FF6CE1F8A40
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F7ACC20_2_00007FF6CE1F7ACC
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F9B1420_2_00007FF6CE1F9B14
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F377824_2_00007FF79A6F3778
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F15EC24_2_00007FF79A6F15EC
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F2BE824_2_00007FF79A6F2BE8
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F1B6424_2_00007FF79A6F1B64
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CBA8027_2_00007FF7B95CBA80
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A71F427_2_00007FF7B95A71F4
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95889C027_2_00007FF7B95889C0
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95C29A827_2_00007FF7B95C29A8
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CAD1027_2_00007FF7B95CAD10
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95C24E427_2_00007FF7B95C24E4
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95B238027_2_00007FF7B95B2380
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CD36027_2_00007FF7B95CD360
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95AC3AC27_2_00007FF7B95AC3AC
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95856C427_2_00007FF7B95856C4
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9583ED027_2_00007FF7B9583ED0
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A6DAC27_2_00007FF7B95A6DAC
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B959707027_2_00007FF7B9597070
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958603C27_2_00007FF7B958603C
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95BA01827_2_00007FF7B95BA018
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9589F7827_2_00007FF7B9589F78
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A5F6827_2_00007FF7B95A5F68
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95C473C27_2_00007FF7B95C473C
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65CC3030_2_00007FF71B65CC30
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6CACE830_2_00007FF71B6CACE8
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6DDBA430_2_00007FF71B6DDBA4
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B68A97430_2_00007FF71B68A974
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6829F430_2_00007FF71B6829F4
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6D29E030_2_00007FF71B6D29E0
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B67911030_2_00007FF71B679110
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B64E0F430_2_00007FF71B64E0F4
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6CA01430_2_00007FF71B6CA014
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6AEE7C30_2_00007FF71B6AEE7C
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B681E3430_2_00007FF71B681E34
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6E8F0430_2_00007FF71B6E8F04
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B664EF030_2_00007FF71B664EF0
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65BEE430_2_00007FF71B65BEE4
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6CA45030_2_00007FF71B6CA450
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65E44430_2_00007FF71B65E444
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B67850030_2_00007FF71B678500
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6454E030_2_00007FF71B6454E0
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6764D030_2_00007FF71B6764D0
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6504AC30_2_00007FF71B6504AC
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B69049830_2_00007FF71B690498
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6AC27830_2_00007FF71B6AC278
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B69615830_2_00007FF71B696158
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B69115E30_2_00007FF71B69115E
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B68B12C30_2_00007FF71B68B12C
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6DE83430_2_00007FF71B6DE834
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6AD6FC30_2_00007FF71B6AD6FC
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6896D830_2_00007FF71B6896D8
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65858C30_2_00007FF71B65858C
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B67758030_2_00007FF71B677580
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526124C32_2_00007FF7D526124C
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D5262C3C32_2_00007FF7D5262C3C
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526DA6832_2_00007FF7D526DA68
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D52680F032_2_00007FF7D52680F0
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526238432_2_00007FF7D5262384
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D52635C432_2_00007FF7D52635C4
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeCode function: 34_2_00007FF6312D1F0834_2_00007FF6312D1F08
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2F0C4437_2_00007FF66A2F0C44
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A284CDC37_2_00007FF66A284CDC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A29ED0037_2_00007FF66A29ED00
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CCCFC37_2_00007FF66A2CCCFC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2B694837_2_00007FF66A2B6948
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FA99837_2_00007FF66A2FA998
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C89F437_2_00007FF66A2C89F4
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CAFF037_2_00007FF66A2CAFF0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FD01037_2_00007FF66A2FD010
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EB12437_2_00007FF66A2EB124
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EED9037_2_00007FF66A2EED90
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2E4DD037_2_00007FF66A2E4DD0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FEE4037_2_00007FF66A2FEE40
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2B8F1437_2_00007FF66A2B8F14
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2943B837_2_00007FF66A2943B8
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2E21AC37_2_00007FF66A2E21AC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2A21AC37_2_00007FF66A2A21AC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2E419837_2_00007FF66A2E4198
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A28E22437_2_00007FF66A28E224
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2AA25037_2_00007FF66A2AA250
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EC2D837_2_00007FF66A2EC2D8
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A26A7EC37_2_00007FF66A26A7EC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A3147E537_2_00007FF66A3147E5
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A26E7FC37_2_00007FF66A26E7FC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A279AF037_2_00007FF66A279AF0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C48C037_2_00007FF66A2C48C0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A29E56037_2_00007FF66A29E560
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2B253C37_2_00007FF66A2B253C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A3045E037_2_00007FF66A3045E0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CA5D037_2_00007FF66A2CA5D0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C062037_2_00007FF66A2C0620
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D064437_2_00007FF66A2D0644
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30072837_2_00007FF66A300728
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30DB6C37_2_00007FF66A30DB6C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A29DC4437_2_00007FF66A29DC44
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30FC5937_2_00007FF66A30FC59
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EBD1437_2_00007FF66A2EBD14
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2F7A2037_2_00007FF66A2F7A20
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D7A0037_2_00007FF66A2D7A00
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D1AD437_2_00007FF66A2D1AD4
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FBF8837_2_00007FF66A2FBF88
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30BFEC37_2_00007FF66A30BFEC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A26A05837_2_00007FF66A26A058
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A263D3837_2_00007FF66A263D38
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CBE5837_2_00007FF66A2CBE58
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D5F0837_2_00007FF66A2D5F08
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2F137C37_2_00007FF66A2F137C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30746037_2_00007FF66A307460
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CB45437_2_00007FF66A2CB454
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2B948437_2_00007FF66A2B9484
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FB14C37_2_00007FF66A2FB14C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2F519037_2_00007FF66A2F5190
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2DB26C37_2_00007FF66A2DB26C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A29326037_2_00007FF66A293260
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2972C837_2_00007FF66A2972C8
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30D7A237_2_00007FF66A30D7A2
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FD78837_2_00007FF66A2FD788
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A26B92837_2_00007FF66A26B928
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EF92037_2_00007FF66A2EF920
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CD6B037_2_00007FF66A2CD6B0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A264D68 appears 192 times
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A2762E4 appears 62 times
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A266894 appears 49 times
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A306AD8 appears 230 times
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A2632F8 appears 394 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: String function: 00007FF71B6459E0 appears 153 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: String function: 00007FF71B685CE8 appears 64 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: String function: 00007FF71B643F1C appears 39 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: String function: 00007FF71B645BC4 appears 55 times
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: String function: 00007FF636981400 appears 70 times
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: String function: 00007FF7B95867D8 appears 58 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6493A8 memset,CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,swprintf_s,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,30_2_00007FF71B6493A8
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,0_2_0000000140046C90
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,0_2_000000014006A4B0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E9590 GetWindowThreadProcessId,CloseHandle,OpenProcess,QueryFullProcessImageNameW,NtQueryInformationProcess,CloseHandle,20_2_00007FF6CE1E9590
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F2E0C NtQuerySystemInformation,NtQuerySystemInformation,LocalFree,LocalAlloc,GetLastError,LocalFree,RtlNtStatusToDosError,RtlCompareUnicodeString,24_2_00007FF79A6F2E0C
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F2F58 memset,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,CloseHandle,24_2_00007FF79A6F2F58
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9584C10 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CryptBinaryToStringW,CryptBinaryToStringW,NtClose,27_2_00007FF7B9584C10
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9584E58 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,memset,memcpy_s,CloseHandle,27_2_00007FF7B9584E58
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95848B8 memset,QueryDosDeviceW,RtlInitUnicodeString,NtCreateFile,NtClose,DefineDosDeviceW,GetLastError,27_2_00007FF7B95848B8
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D6C44 RtlInitUnicodeString,NtQueryLicenseValue,37_2_00007FF66A2D6C44
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30A9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,37_2_00007FF66A30A9CC
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9584C10: RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CryptBinaryToStringW,CryptBinaryToStringW,NtClose,27_2_00007FF7B9584C10
            Source: RdpSaUacHelper.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: bdechangepin.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdechangepin.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdechangepin.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wlrmdr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wlrmdr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dccw.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dccw.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dccw.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dpapimig.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dpapimig.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dpapimig.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: osk.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: osk.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: osk.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dwmapi.dll1.5.drStatic PE information: Number of sections : 37 > 10
            Source: K7dGM0P0yz.dllStatic PE information: Number of sections : 36 > 10
            Source: DUI70.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: WINSTA.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: VERSION.dll1.5.drStatic PE information: Number of sections : 37 > 10
            Source: DUI70.dll1.5.drStatic PE information: Number of sections : 37 > 10
            Source: dwmapi.dll0.5.drStatic PE information: Number of sections : 37 > 10
            Source: dxva2.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: VERSION.dll0.5.drStatic PE information: Number of sections : 37 > 10
            Source: dwmapi.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: DUI70.dll2.5.drStatic PE information: Number of sections : 37 > 10
            Source: DUI70.dll0.5.drStatic PE information: Number of sections : 37 > 10
            Source: VERSION.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: K7dGM0P0yz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dwmapi.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dwmapi.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dxva2.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll1.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dwmapi.dll1.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINSTA.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll2.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll1.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: K7dGM0P0yz.dllVirustotal: Detection: 62%
            Source: K7dGM0P0yz.dllMetadefender: Detection: 65%
            Source: K7dGM0P0yz.dllReversingLabs: Detection: 77%
            Source: K7dGM0P0yz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaint
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedback
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdechangepin.exe C:\Windows\system32\bdechangepin.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpclip.exe C:\Windows\system32\rdpclip.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\I0o\rdpclip.exe C:\Users\user\AppData\Local\I0o\rdpclip.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\eF0\AgentService.exe C:\Users\user\AppData\Local\eF0\AgentService.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Fox\dccw.exe C:\Users\user\AppData\Local\Fox\dccw.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\osk.exe C:\Windows\system32\osk.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaintJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedbackJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdechangepin.exe C:\Windows\system32\bdechangepin.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe C:\Users\user\AppData\Local\hJetkV\rdpinit.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe C:\Users\user\AppData\Local\YRu8\wlrmdr.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpclip.exe C:\Windows\system32\rdpclip.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\I0o\rdpclip.exe C:\Users\user\AppData\Local\I0o\rdpclip.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\eF0\AgentService.exe C:\Users\user\AppData\Local\eF0\AgentService.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Fox\dccw.exe C:\Users\user\AppData\Local\Fox\dccw.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\osk.exe C:\Windows\system32\osk.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65943C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,GetLastError,30_2_00007FF71B65943C
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal96.troj.evad.winDLL@54/25@0/0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1D2FB4 CoCreateInstance,RtlPublishWnfStateData,RtlPublishWnfStateData,RtlPublishWnfStateData,20_2_00007FF6CE1D2FB4
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636983364 InitializeCriticalSection,GetCommandLineW,CommandLineToArgvW,GetLastError,iswalpha,towupper,EnterCriticalSection,FormatMessageW,GetModuleHandleW,#344,LeaveCriticalSection,LeaveCriticalSection,CoInitialize,InitProcessPriv,InitThread,FormatMessageW,GetLastError,CreateMutexW,GetLastError,CloseHandle,FindWindowW,SetForegroundWindow,LocalFree,LocalFree,UnInitThread,UnInitProcessPriv,CoUninitialize,CloseHandle,DeleteCriticalSection,GetSystemMetrics,GetSystemMetrics,GetModuleHandleW,LoadImageW,?Create@NativeHWNDHost@DirectUI@@SAJPEBGPEAUHWND__@@PEAUHICON__@@HHHHHHIPEAPEAV12@@Z,EnterCriticalSection,LeaveCriticalSection,?EndDefer@Element@DirectUI@@QEAAXK@Z,?SetVisible@Element@DirectUI@@QEAAJ_N@Z,?EndDefer@Element@DirectUI@@QEAAXK@Z,?Host@NativeHWNDHost@DirectUI@@QEAAXPEAVElement@2@@Z,?ShowWindow@NativeHWNDHost@DirectUI@@QEAAXH@Z,StartMessagePump,16_2_00007FF636983364
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B64345C StartServiceCtrlDispatcherW,GetLastError,30_2_00007FF71B64345C
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3464 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle,24_2_00007FF79A6F3464
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeMutant created: \Sessions\1\BaseNamedObjects\{832029fd-8b48-c9e2-536d-2d493fe88741}
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeMutant created: \Sessions\1\BaseNamedObjects\{bcabdb27-9189-fb60-e76f-c1e63267ec97}
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D52635C4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,memset,GetModuleFileNameW,GetModuleHandleW,EnterCriticalSection,memcpy_s,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,32_2_00007FF7D52635C4
            Source: rdpinit.exeString found in binary or memory: Re-Start RdpShell failed
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
            Source: K7dGM0P0yz.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: K7dGM0P0yz.dllStatic file information: File size 1224704 > 1048576
            Source: K7dGM0P0yz.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: dccw.pdbGCTL source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
            Source: Binary string: dccw.pdb source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
            Source: Binary string: dpapimig.pdbGCTL source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
            Source: Binary string: bdechangepin.pdb source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
            Source: Binary string: rdpclip.pdbGCTL source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
            Source: Binary string: bdechangepin.pdbGCTL source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
            Source: Binary string: rdpinit.pdb source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
            Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
            Source: Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
            Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
            Source: Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
            Source: Binary string: AgentService.pdbGCTL source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
            Source: Binary string: rdpclip.pdb source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
            Source: Binary string: AgentService.pdb source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
            Source: Binary string: dpapimig.pdb source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
            Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1D4162 push rcx; ret 20_2_00007FF6CE1D4163
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958CD52 push rcx; ret 27_2_00007FF7B958CD53
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B68FF70 pushfq ; retf 30_2_00007FF71B68FF71
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6884C0 push rsp; retf 30_2_00007FF71B6884C1
            Source: K7dGM0P0yz.dllStatic PE information: section name: .qkm
            Source: K7dGM0P0yz.dllStatic PE information: section name: .cvjb
            Source: K7dGM0P0yz.dllStatic PE information: section name: .tlmkv
            Source: K7dGM0P0yz.dllStatic PE information: section name: .wucsxe
            Source: K7dGM0P0yz.dllStatic PE information: section name: .wnx
            Source: K7dGM0P0yz.dllStatic PE information: section name: .weqy
            Source: K7dGM0P0yz.dllStatic PE information: section name: .yby
            Source: K7dGM0P0yz.dllStatic PE information: section name: .ormx
            Source: K7dGM0P0yz.dllStatic PE information: section name: .dhclu
            Source: K7dGM0P0yz.dllStatic PE information: section name: .xmiul
            Source: K7dGM0P0yz.dllStatic PE information: section name: .tlwcxe
            Source: K7dGM0P0yz.dllStatic PE information: section name: .get
            Source: K7dGM0P0yz.dllStatic PE information: section name: .hzrd
            Source: K7dGM0P0yz.dllStatic PE information: section name: .qzu
            Source: K7dGM0P0yz.dllStatic PE information: section name: .nhglos
            Source: K7dGM0P0yz.dllStatic PE information: section name: .itzo
            Source: K7dGM0P0yz.dllStatic PE information: section name: .nmsaom
            Source: K7dGM0P0yz.dllStatic PE information: section name: .mas
            Source: K7dGM0P0yz.dllStatic PE information: section name: .ldov
            Source: K7dGM0P0yz.dllStatic PE information: section name: .bwslm
            Source: K7dGM0P0yz.dllStatic PE information: section name: .gfceb
            Source: K7dGM0P0yz.dllStatic PE information: section name: .nojmwb
            Source: K7dGM0P0yz.dllStatic PE information: section name: .naznun
            Source: K7dGM0P0yz.dllStatic PE information: section name: .iyfv
            Source: K7dGM0P0yz.dllStatic PE information: section name: .iqae
            Source: K7dGM0P0yz.dllStatic PE information: section name: .zco
            Source: K7dGM0P0yz.dllStatic PE information: section name: .kqpcjh
            Source: K7dGM0P0yz.dllStatic PE information: section name: .unbzj
            Source: K7dGM0P0yz.dllStatic PE information: section name: .tcuit
            Source: K7dGM0P0yz.dllStatic PE information: section name: .sow
            Source: rdpinit.exe.5.drStatic PE information: section name: .imrsiv
            Source: wlrmdr.exe.5.drStatic PE information: section name: .imrsiv
            Source: GamePanel.exe.5.drStatic PE information: section name: .imrsiv
            Source: GamePanel.exe.5.drStatic PE information: section name: .didat
            Source: systemreset.exe.5.drStatic PE information: section name: .imrsiv
            Source: DUI70.dll.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll.5.drStatic PE information: section name: .yby
            Source: DUI70.dll.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll.5.drStatic PE information: section name: .get
            Source: DUI70.dll.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll.5.drStatic PE information: section name: .mas
            Source: DUI70.dll.5.drStatic PE information: section name: .ldov
            Source: DUI70.dll.5.drStatic PE information: section name: .bwslm
            Source: DUI70.dll.5.drStatic PE information: section name: .gfceb
            Source: DUI70.dll.5.drStatic PE information: section name: .nojmwb
            Source: DUI70.dll.5.drStatic PE information: section name: .naznun
            Source: DUI70.dll.5.drStatic PE information: section name: .iyfv
            Source: DUI70.dll.5.drStatic PE information: section name: .iqae
            Source: DUI70.dll.5.drStatic PE information: section name: .zco
            Source: DUI70.dll.5.drStatic PE information: section name: .kqpcjh
            Source: DUI70.dll.5.drStatic PE information: section name: .unbzj
            Source: DUI70.dll.5.drStatic PE information: section name: .tcuit
            Source: DUI70.dll.5.drStatic PE information: section name: .sow
            Source: DUI70.dll.5.drStatic PE information: section name: .njy
            Source: dwmapi.dll.5.drStatic PE information: section name: .qkm
            Source: dwmapi.dll.5.drStatic PE information: section name: .cvjb
            Source: dwmapi.dll.5.drStatic PE information: section name: .tlmkv
            Source: dwmapi.dll.5.drStatic PE information: section name: .wucsxe
            Source: dwmapi.dll.5.drStatic PE information: section name: .wnx
            Source: dwmapi.dll.5.drStatic PE information: section name: .weqy
            Source: dwmapi.dll.5.drStatic PE information: section name: .yby
            Source: dwmapi.dll.5.drStatic PE information: section name: .ormx
            Source: dwmapi.dll.5.drStatic PE information: section name: .dhclu
            Source: dwmapi.dll.5.drStatic PE information: section name: .xmiul
            Source: dwmapi.dll.5.drStatic PE information: section name: .tlwcxe
            Source: dwmapi.dll.5.drStatic PE information: section name: .get
            Source: dwmapi.dll.5.drStatic PE information: section name: .hzrd
            Source: dwmapi.dll.5.drStatic PE information: section name: .qzu
            Source: dwmapi.dll.5.drStatic PE information: section name: .nhglos
            Source: dwmapi.dll.5.drStatic PE information: section name: .itzo
            Source: dwmapi.dll.5.drStatic PE information: section name: .nmsaom
            Source: dwmapi.dll.5.drStatic PE information: section name: .mas
            Source: dwmapi.dll.5.drStatic PE information: section name: .ldov
            Source: dwmapi.dll.5.drStatic PE information: section name: .bwslm
            Source: dwmapi.dll.5.drStatic PE information: section name: .gfceb
            Source: dwmapi.dll.5.drStatic PE information: section name: .nojmwb
            Source: dwmapi.dll.5.drStatic PE information: section name: .naznun
            Source: dwmapi.dll.5.drStatic PE information: section name: .iyfv
            Source: dwmapi.dll.5.drStatic PE information: section name: .iqae
            Source: dwmapi.dll.5.drStatic PE information: section name: .zco
            Source: dwmapi.dll.5.drStatic PE information: section name: .kqpcjh
            Source: dwmapi.dll.5.drStatic PE information: section name: .unbzj
            Source: dwmapi.dll.5.drStatic PE information: section name: .tcuit
            Source: dwmapi.dll.5.drStatic PE information: section name: .sow
            Source: dwmapi.dll.5.drStatic PE information: section name: .wsh
            Source: DUI70.dll0.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll0.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll0.5.drStatic PE information: section name: .yby
            Source: DUI70.dll0.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll0.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll0.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll0.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll0.5.drStatic PE information: section name: .get
            Source: DUI70.dll0.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll0.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll0.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll0.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll0.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll0.5.drStatic PE information: section name: .mas
            Source: DUI70.dll0.5.drStatic PE information: section name: .ldov
            Source: DUI70.dll0.5.drStatic PE information: section name: .bwslm
            Source: DUI70.dll0.5.drStatic PE information: section name: .gfceb
            Source: DUI70.dll0.5.drStatic PE information: section name: .nojmwb
            Source: DUI70.dll0.5.drStatic PE information: section name: .naznun
            Source: DUI70.dll0.5.drStatic PE information: section name: .iyfv
            Source: DUI70.dll0.5.drStatic PE information: section name: .iqae
            Source: DUI70.dll0.5.drStatic PE information: section name: .zco
            Source: DUI70.dll0.5.drStatic PE information: section name: .kqpcjh
            Source: DUI70.dll0.5.drStatic PE information: section name: .unbzj
            Source: DUI70.dll0.5.drStatic PE information: section name: .tcuit
            Source: DUI70.dll0.5.drStatic PE information: section name: .sow
            Source: DUI70.dll0.5.drStatic PE information: section name: .jzccua
            Source: dwmapi.dll0.5.drStatic PE information: section name: .qkm
            Source: dwmapi.dll0.5.drStatic PE information: section name: .cvjb
            Source: dwmapi.dll0.5.drStatic PE information: section name: .tlmkv
            Source: dwmapi.dll0.5.drStatic PE information: section name: .wucsxe
            Source: dwmapi.dll0.5.drStatic PE information: section name: .wnx
            Source: dwmapi.dll0.5.drStatic PE information: section name: .weqy
            Source: dwmapi.dll0.5.drStatic PE information: section name: .yby
            Source: dwmapi.dll0.5.drStatic PE information: section name: .ormx
            Source: dwmapi.dll0.5.drStatic PE information: section name: .dhclu
            Source: dwmapi.dll0.5.drStatic PE information: section name: .xmiul
            Source: dwmapi.dll0.5.drStatic PE information: section name: .tlwcxe
            Source: dwmapi.dll0.5.drStatic PE information: section name: .get
            Source: dwmapi.dll0.5.drStatic PE information: section name: .hzrd
            Source: dwmapi.dll0.5.drStatic PE information: section name: .qzu
            Source: dwmapi.dll0.5.drStatic PE information: section name: .nhglos
            Source: dwmapi.dll0.5.drStatic PE information: section name: .itzo
            Source: dwmapi.dll0.5.drStatic PE information: section name: .nmsaom
            Source: dwmapi.dll0.5.drStatic PE information: section name: .mas
            Source: dwmapi.dll0.5.drStatic PE information: section name: .ldov
            Source: dwmapi.dll0.5.drStatic PE information: section name: .bwslm
            Source: dwmapi.dll0.5.drStatic PE information: section name: .gfceb
            Source: dwmapi.dll0.5.drStatic PE information: section name: .nojmwb
            Source: dwmapi.dll0.5.drStatic PE information: section name: .naznun
            Source: dwmapi.dll0.5.drStatic PE information: section name: .iyfv
            Source: dwmapi.dll0.5.drStatic PE information: section name: .iqae
            Source: dwmapi.dll0.5.drStatic PE information: section name: .zco
            Source: dwmapi.dll0.5.drStatic PE information: section name: .kqpcjh
            Source: dwmapi.dll0.5.drStatic PE information: section name: .unbzj
            Source: dwmapi.dll0.5.drStatic PE information: section name: .tcuit
            Source: dwmapi.dll0.5.drStatic PE information: section name: .sow
            Source: dwmapi.dll0.5.drStatic PE information: section name: .lkfqq
            Source: VERSION.dll.5.drStatic PE information: section name: .qkm
            Source: VERSION.dll.5.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.5.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.5.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.5.drStatic PE information: section name: .wnx
            Source: VERSION.dll.5.drStatic PE information: section name: .weqy
            Source: VERSION.dll.5.drStatic PE information: section name: .yby
            Source: VERSION.dll.5.drStatic PE information: section name: .ormx
            Source: VERSION.dll.5.drStatic PE information: section name: .dhclu
            Source: VERSION.dll.5.drStatic PE information: section name: .xmiul
            Source: VERSION.dll.5.drStatic PE information: section name: .tlwcxe
            Source: VERSION.dll.5.drStatic PE information: section name: .get
            Source: VERSION.dll.5.drStatic PE information: section name: .hzrd
            Source: VERSION.dll.5.drStatic PE information: section name: .qzu
            Source: VERSION.dll.5.drStatic PE information: section name: .nhglos
            Source: VERSION.dll.5.drStatic PE information: section name: .itzo
            Source: VERSION.dll.5.drStatic PE information: section name: .nmsaom
            Source: VERSION.dll.5.drStatic PE information: section name: .mas
            Source: VERSION.dll.5.drStatic PE information: section name: .ldov
            Source: VERSION.dll.5.drStatic PE information: section name: .bwslm
            Source: VERSION.dll.5.drStatic PE information: section name: .gfceb
            Source: VERSION.dll.5.drStatic PE information: section name: .nojmwb
            Source: VERSION.dll.5.drStatic PE information: section name: .naznun
            Source: VERSION.dll.5.drStatic PE information: section name: .iyfv
            Source: VERSION.dll.5.drStatic PE information: section name: .iqae
            Source: VERSION.dll.5.drStatic PE information: section name: .zco
            Source: VERSION.dll.5.drStatic PE information: section name: .kqpcjh
            Source: VERSION.dll.5.drStatic PE information: section name: .unbzj
            Source: VERSION.dll.5.drStatic PE information: section name: .tcuit
            Source: VERSION.dll.5.drStatic PE information: section name: .sow
            Source: VERSION.dll.5.drStatic PE information: section name: .dcm
            Source: dxva2.dll.5.drStatic PE information: section name: .qkm
            Source: dxva2.dll.5.drStatic PE information: section name: .cvjb
            Source: dxva2.dll.5.drStatic PE information: section name: .tlmkv
            Source: dxva2.dll.5.drStatic PE information: section name: .wucsxe
            Source: dxva2.dll.5.drStatic PE information: section name: .wnx
            Source: dxva2.dll.5.drStatic PE information: section name: .weqy
            Source: dxva2.dll.5.drStatic PE information: section name: .yby
            Source: dxva2.dll.5.drStatic PE information: section name: .ormx
            Source: dxva2.dll.5.drStatic PE information: section name: .dhclu
            Source: dxva2.dll.5.drStatic PE information: section name: .xmiul
            Source: dxva2.dll.5.drStatic PE information: section name: .tlwcxe
            Source: dxva2.dll.5.drStatic PE information: section name: .get
            Source: dxva2.dll.5.drStatic PE information: section name: .hzrd
            Source: dxva2.dll.5.drStatic PE information: section name: .qzu
            Source: dxva2.dll.5.drStatic PE information: section name: .nhglos
            Source: dxva2.dll.5.drStatic PE information: section name: .itzo
            Source: dxva2.dll.5.drStatic PE information: section name: .nmsaom
            Source: dxva2.dll.5.drStatic PE information: section name: .mas
            Source: dxva2.dll.5.drStatic PE information: section name: .ldov
            Source: dxva2.dll.5.drStatic PE information: section name: .bwslm
            Source: dxva2.dll.5.drStatic PE information: section name: .gfceb
            Source: dxva2.dll.5.drStatic PE information: section name: .nojmwb
            Source: dxva2.dll.5.drStatic PE information: section name: .naznun
            Source: dxva2.dll.5.drStatic PE information: section name: .iyfv
            Source: dxva2.dll.5.drStatic PE information: section name: .iqae
            Source: dxva2.dll.5.drStatic PE information: section name: .zco
            Source: dxva2.dll.5.drStatic PE information: section name: .kqpcjh
            Source: dxva2.dll.5.drStatic PE information: section name: .unbzj
            Source: dxva2.dll.5.drStatic PE information: section name: .tcuit
            Source: dxva2.dll.5.drStatic PE information: section name: .sow
            Source: dxva2.dll.5.drStatic PE information: section name: .znragi
            Source: DUI70.dll1.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll1.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll1.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll1.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll1.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll1.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll1.5.drStatic PE information: section name: .yby
            Source: DUI70.dll1.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll1.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll1.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll1.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll1.5.drStatic PE information: section name: .get
            Source: DUI70.dll1.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll1.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll1.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll1.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll1.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll1.5.drStatic PE information: section name: .mas
            Source: DUI70.dll1.5.drStatic PE information: section name: .ldov
            Source: DUI70.dll1.5.drStatic PE information: section name: .bwslm
            Source: DUI70.dll1.5.drStatic PE information: section name: .gfceb
            Source: DUI70.dll1.5.drStatic PE information: section name: .nojmwb
            Source: DUI70.dll1.5.drStatic PE information: section name: .naznun
            Source: DUI70.dll1.5.drStatic PE information: section name: .iyfv
            Source: DUI70.dll1.5.drStatic PE information: section name: .iqae
            Source: DUI70.dll1.5.drStatic PE information: section name: .zco
            Source: DUI70.dll1.5.drStatic PE information: section name: .kqpcjh
            Source: DUI70.dll1.5.drStatic PE information: section name: .unbzj
            Source: DUI70.dll1.5.drStatic PE information: section name: .tcuit
            Source: DUI70.dll1.5.drStatic PE information: section name: .sow
            Source: DUI70.dll1.5.drStatic PE information: section name: .kdatc
            Source: dwmapi.dll1.5.drStatic PE information: section name: .qkm
            Source: dwmapi.dll1.5.drStatic PE information: section name: .cvjb
            Source: dwmapi.dll1.5.drStatic PE information: section name: .tlmkv
            Source: dwmapi.dll1.5.drStatic PE information: section name: .wucsxe
            Source: dwmapi.dll1.5.drStatic PE information: section name: .wnx
            Source: dwmapi.dll1.5.drStatic PE information: section name: .weqy
            Source: dwmapi.dll1.5.drStatic PE information: section name: .yby
            Source: dwmapi.dll1.5.drStatic PE information: section name: .ormx
            Source: dwmapi.dll1.5.drStatic PE information: section name: .dhclu
            Source: dwmapi.dll1.5.drStatic PE information: section name: .xmiul
            Source: dwmapi.dll1.5.drStatic PE information: section name: .tlwcxe
            Source: dwmapi.dll1.5.drStatic PE information: section name: .get
            Source: dwmapi.dll1.5.drStatic PE information: section name: .hzrd
            Source: dwmapi.dll1.5.drStatic PE information: section name: .qzu
            Source: dwmapi.dll1.5.drStatic PE information: section name: .nhglos
            Source: dwmapi.dll1.5.drStatic PE information: section name: .itzo
            Source: dwmapi.dll1.5.drStatic PE information: section name: .nmsaom
            Source: dwmapi.dll1.5.drStatic PE information: section name: .mas
            Source: dwmapi.dll1.5.drStatic PE information: section name: .ldov
            Source: dwmapi.dll1.5.drStatic PE information: section name: .bwslm
            Source: dwmapi.dll1.5.drStatic PE information: section name: .gfceb
            Source: dwmapi.dll1.5.drStatic PE information: section name: .nojmwb
            Source: dwmapi.dll1.5.drStatic PE information: section name: .naznun
            Source: dwmapi.dll1.5.drStatic PE information: section name: .iyfv
            Source: dwmapi.dll1.5.drStatic PE information: section name: .iqae
            Source: dwmapi.dll1.5.drStatic PE information: section name: .zco
            Source: dwmapi.dll1.5.drStatic PE information: section name: .kqpcjh
            Source: dwmapi.dll1.5.drStatic PE information: section name: .unbzj
            Source: dwmapi.dll1.5.drStatic PE information: section name: .tcuit
            Source: dwmapi.dll1.5.drStatic PE information: section name: .sow
            Source: dwmapi.dll1.5.drStatic PE information: section name: .kum
            Source: WINSTA.dll.5.drStatic PE information: section name: .qkm
            Source: WINSTA.dll.5.drStatic PE information: section name: .cvjb
            Source: WINSTA.dll.5.drStatic PE information: section name: .tlmkv
            Source: WINSTA.dll.5.drStatic PE information: section name: .wucsxe
            Source: WINSTA.dll.5.drStatic PE information: section name: .wnx
            Source: WINSTA.dll.5.drStatic PE information: section name: .weqy
            Source: WINSTA.dll.5.drStatic PE information: section name: .yby
            Source: WINSTA.dll.5.drStatic PE information: section name: .ormx
            Source: WINSTA.dll.5.drStatic PE information: section name: .dhclu
            Source: WINSTA.dll.5.drStatic PE information: section name: .xmiul
            Source: WINSTA.dll.5.drStatic PE information: section name: .tlwcxe
            Source: WINSTA.dll.5.drStatic PE information: section name: .get
            Source: WINSTA.dll.5.drStatic PE information: section name: .hzrd
            Source: WINSTA.dll.5.drStatic PE information: section name: .qzu
            Source: WINSTA.dll.5.drStatic PE information: section name: .nhglos
            Source: WINSTA.dll.5.drStatic PE information: section name: .itzo
            Source: WINSTA.dll.5.drStatic PE information: section name: .nmsaom
            Source: WINSTA.dll.5.drStatic PE information: section name: .mas
            Source: WINSTA.dll.5.drStatic PE information: section name: .ldov
            Source: WINSTA.dll.5.drStatic PE information: section name: .bwslm
            Source: WINSTA.dll.5.drStatic PE information: section name: .gfceb
            Source: WINSTA.dll.5.drStatic PE information: section name: .nojmwb
            Source: WINSTA.dll.5.drStatic PE information: section name: .naznun
            Source: WINSTA.dll.5.drStatic PE information: section name: .iyfv
            Source: WINSTA.dll.5.drStatic PE information: section name: .iqae
            Source: WINSTA.dll.5.drStatic PE information: section name: .zco
            Source: WINSTA.dll.5.drStatic PE information: section name: .kqpcjh
            Source: WINSTA.dll.5.drStatic PE information: section name: .unbzj
            Source: WINSTA.dll.5.drStatic PE information: section name: .tcuit
            Source: WINSTA.dll.5.drStatic PE information: section name: .sow
            Source: WINSTA.dll.5.drStatic PE information: section name: .ykoawy
            Source: DUI70.dll2.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll2.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll2.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll2.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll2.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll2.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll2.5.drStatic PE information: section name: .yby
            Source: DUI70.dll2.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll2.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll2.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll2.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll2.5.drStatic PE information: section name: .get
            Source: DUI70.dll2.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll2.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll2.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll2.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll2.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll2.5.drStatic PE information: section name: .mas
            Source: DUI70.dll2.5.drStatic PE information: section name: .ldov
            Source: DUI70.dll2.5.drStatic PE information: section name: .bwslm
            Source: DUI70.dll2.5.drStatic PE information: section name: .gfceb
            Source: DUI70.dll2.5.drStatic PE information: section name: .nojmwb
            Source: DUI70.dll2.5.drStatic PE information: section name: .naznun
            Source: DUI70.dll2.5.drStatic PE information: section name: .iyfv
            Source: DUI70.dll2.5.drStatic PE information: section name: .iqae
            Source: DUI70.dll2.5.drStatic PE information: section name: .zco
            Source: DUI70.dll2.5.drStatic PE information: section name: .kqpcjh
            Source: DUI70.dll2.5.drStatic PE information: section name: .unbzj
            Source: DUI70.dll2.5.drStatic PE information: section name: .tcuit
            Source: DUI70.dll2.5.drStatic PE information: section name: .sow
            Source: DUI70.dll2.5.drStatic PE information: section name: .eavhk
            Source: VERSION.dll0.5.drStatic PE information: section name: .qkm
            Source: VERSION.dll0.5.drStatic PE information: section name: .cvjb
            Source: VERSION.dll0.5.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll0.5.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll0.5.drStatic PE information: section name: .wnx
            Source: VERSION.dll0.5.drStatic PE information: section name: .weqy
            Source: VERSION.dll0.5.drStatic PE information: section name: .yby
            Source: VERSION.dll0.5.drStatic PE information: section name: .ormx
            Source: VERSION.dll0.5.drStatic PE information: section name: .dhclu
            Source: VERSION.dll0.5.drStatic PE information: section name: .xmiul
            Source: VERSION.dll0.5.drStatic PE information: section name: .tlwcxe
            Source: VERSION.dll0.5.drStatic PE information: section name: .get
            Source: VERSION.dll0.5.drStatic PE information: section name: .hzrd
            Source: VERSION.dll0.5.drStatic PE information: section name: .qzu
            Source: VERSION.dll0.5.drStatic PE information: section name: .nhglos
            Source: VERSION.dll0.5.drStatic PE information: section name: .itzo
            Source: VERSION.dll0.5.drStatic PE information: section name: .nmsaom
            Source: VERSION.dll0.5.drStatic PE information: section name: .mas
            Source: VERSION.dll0.5.drStatic PE information: section name: .ldov
            Source: VERSION.dll0.5.drStatic PE information: section name: .bwslm
            Source: VERSION.dll0.5.drStatic PE information: section name: .gfceb
            Source: VERSION.dll0.5.drStatic PE information: section name: .nojmwb
            Source: VERSION.dll0.5.drStatic PE information: section name: .naznun
            Source: VERSION.dll0.5.drStatic PE information: section name: .iyfv
            Source: VERSION.dll0.5.drStatic PE information: section name: .iqae
            Source: VERSION.dll0.5.drStatic PE information: section name: .zco
            Source: VERSION.dll0.5.drStatic PE information: section name: .kqpcjh
            Source: VERSION.dll0.5.drStatic PE information: section name: .unbzj
            Source: VERSION.dll0.5.drStatic PE information: section name: .tcuit
            Source: VERSION.dll0.5.drStatic PE information: section name: .sow
            Source: VERSION.dll0.5.drStatic PE information: section name: .fwy
            Source: VERSION.dll1.5.drStatic PE information: section name: .qkm
            Source: VERSION.dll1.5.drStatic PE information: section name: .cvjb
            Source: VERSION.dll1.5.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll1.5.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll1.5.drStatic PE information: section name: .wnx
            Source: VERSION.dll1.5.drStatic PE information: section name: .weqy
            Source: VERSION.dll1.5.drStatic PE information: section name: .yby
            Source: VERSION.dll1.5.drStatic PE information: section name: .ormx
            Source: VERSION.dll1.5.drStatic PE information: section name: .dhclu
            Source: VERSION.dll1.5.drStatic PE information: section name: .xmiul
            Source: VERSION.dll1.5.drStatic PE information: section name: .tlwcxe
            Source: VERSION.dll1.5.drStatic PE information: section name: .get
            Source: VERSION.dll1.5.drStatic PE information: section name: .hzrd
            Source: VERSION.dll1.5.drStatic PE information: section name: .qzu
            Source: VERSION.dll1.5.drStatic PE information: section name: .nhglos
            Source: VERSION.dll1.5.drStatic PE information: section name: .itzo
            Source: VERSION.dll1.5.drStatic PE information: section name: .nmsaom
            Source: VERSION.dll1.5.drStatic PE information: section name: .mas
            Source: VERSION.dll1.5.drStatic PE information: section name: .ldov
            Source: VERSION.dll1.5.drStatic PE information: section name: .bwslm
            Source: VERSION.dll1.5.drStatic PE information: section name: .gfceb
            Source: VERSION.dll1.5.drStatic PE information: section name: .nojmwb
            Source: VERSION.dll1.5.drStatic PE information: section name: .naznun
            Source: VERSION.dll1.5.drStatic PE information: section name: .iyfv
            Source: VERSION.dll1.5.drStatic PE information: section name: .iqae
            Source: VERSION.dll1.5.drStatic PE information: section name: .zco
            Source: VERSION.dll1.5.drStatic PE information: section name: .kqpcjh
            Source: VERSION.dll1.5.drStatic PE information: section name: .unbzj
            Source: VERSION.dll1.5.drStatic PE information: section name: .tcuit
            Source: VERSION.dll1.5.drStatic PE information: section name: .sow
            Source: VERSION.dll1.5.drStatic PE information: section name: .varqbp
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95BFA80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,27_2_00007FF7B95BFA80
            Source: dwmapi.dll1.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x12e466
            Source: K7dGM0P0yz.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x13a6c7
            Source: DUI70.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1731b6
            Source: WINSTA.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x138380
            Source: VERSION.dll1.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x135f10
            Source: DUI70.dll1.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x17ceb6
            Source: dwmapi.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x135098
            Source: dxva2.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x131391
            Source: VERSION.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13830e
            Source: dwmapi.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x12f24d
            Source: DUI70.dll2.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x17e239
            Source: DUI70.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x180503
            Source: VERSION.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x12ff28
            Source: rdpinit.exe.5.drStatic PE information: 0xC894E371 [Fri Aug 21 01:59:13 2076 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\YRu8\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\exotc\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\qe7nfWB\systemreset.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rdM8VQT\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\eF0\AgentService.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\vh7jtu\WINSTA.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Fox\dxva2.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\eF0\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\1DwRown1P\wextract.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Fox\dccw.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\hJetkV\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\qe7nfWB\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\I0o\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\hIiDwtvg\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\exotc\osk.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\I0o\rdpclip.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3464 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle,24_2_00007FF79A6F3464
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95BFA80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,27_2_00007FF7B95BFA80
            Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exe TID: 4596Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\qe7nfWB\systemreset.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\1DwRown1P\wextract.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1C2EA4 rdtsc 20_2_00007FF6CE1C2EA4
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958507C SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDevicePropertyW,RegQueryValueExW,DefineDosDeviceW,GetLastError,RegSetValueExW,GetLastError,27_2_00007FF7B958507C
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,0_2_000000014005D290
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95B2380 memset,memset,memset,wcschr,wcsrchr,FindNextFileW,FindFirstFileW,FindNextFileW,GetLastError,wcsrchr,FindClose,LocalFree,LocalAlloc,GetLastError,GetLastError,FindClose,FindClose,LocalFree,27_2_00007FF7B95B2380
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B679110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,30_2_00007FF71B679110
            Source: explorer.exe, 00000005.00000000.675145549.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.718116575.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.675145549.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.675563745.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
            Source: explorer.exe, 00000005.00000000.702853289.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000005.00000000.685209746.0000000004791000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
            Source: explorer.exe, 00000005.00000000.675563745.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 00000005.00000000.676311661.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95C0D50 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,27_2_00007FF7B95C0D50
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B642EF0 OutputDebugStringW,OutputDebugStringW,EventRegister,EventSetInformation,RegisterServiceCtrlHandlerW,SetServiceStatus,SetServiceStatus,GetLastError,30_2_00007FF71B642EF0
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95BFA80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,27_2_00007FF7B95BFA80
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF6369849E0 GetProcessHeap,HeapFree,16_2_00007FF6369849E0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1C2EA4 rdtsc 20_2_00007FF6CE1C2EA4
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,0_2_0000000140048AC0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A29ED00 memset,memset,QueryPerformanceFrequency,QueryPerformanceCounter,BlockInput,37_2_00007FF66A29ED00
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636987480 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00007FF636987480
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636987680 SetUnhandledExceptionFilter,16_2_00007FF636987680
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EF1E0 SetUnhandledExceptionFilter,20_2_00007FF6CE1EF1E0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EEA28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00007FF6CE1EEA28
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F72B4 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00007FF6CE1F72B4
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F4014 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_00007FF79A6F4014
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3D90 SetUnhandledExceptionFilter,24_2_00007FF79A6F3D90
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CFC30 SetUnhandledExceptionFilter,27_2_00007FF7B95CFC30
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CFE9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00007FF7B95CFE9C
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6F0304 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_00007FF71B6F0304
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526F894 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,32_2_00007FF7D526F894
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526FBA0 SetUnhandledExceptionFilter,32_2_00007FF7D526FBA0
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeCode function: 34_2_00007FF6312D2BE0 SetUnhandledExceptionFilter,34_2_00007FF6312D2BE0
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeCode function: 34_2_00007FF6312D29D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,34_2_00007FF6312D29D0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30BD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_00007FF66A30BD44
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30BF20 SetUnhandledExceptionFilter,37_2_00007FF66A30BF20
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30B284 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,37_2_00007FF66A30B284

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: DUI70.dll.5.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABD58EFE0 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABD58E000 protect: page execute readJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABB012A20 protect: page execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1Jump to behavior
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A308CAC mouse_event,SetForegroundWindow,37_2_00007FF66A308CAC
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF63698459C memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,16_2_00007FF63698459C
            Source: explorer.exe, 00000005.00000000.700623963.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000005.00000000.683152480.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000005.00000000.687657205.0000000005E50000.00000004.00000001.sdmp, rdpinit.exeBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.683152480.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmpBinary or memory string: Initialize failedDwmpGetColorizationParameters failedDwmpSetColorizationParametersCRdpTrayTaskbarCreatedShell_TrayWndRdptrayTSCreateAppbarTrayFN failedTSCreateShellNotifyTrayFN failedTSCreateTaskbarTrayFn failedTSCreateWindowCloakingTracker failedFailed g_RailOrderEncoder.InitializeFailed g_RailOrderEncoder.StartUpdating max icon size for the tray icon failed.m_spAppBarTrayFnm_spWindowCloakingTrackerRemoveWindow failedRemoveDestroyedWindows failed~/
            Source: explorer.exe, 00000005.00000000.683152480.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000005.00000000.675563745.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,37_2_00007FF66A2F0A3C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,37_2_00007FF66A2FCE28
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,37_2_00007FF66A2FA840
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx,37_2_00007FF66A276068
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: RoInitialize,CoInitializeSecurity,RegisterWindowMessageW,CommandLineToArgvW,wcschr,_o__wcsnicmp,wcsnlen,_o_wcstol,_o__wcsnicmp,_o_wcstol,FindWindowW,GetUserDefaultUILanguage,GetLocaleInfoW,SetProcessDefaultLayout,IsWindow,SetProcessDpiAwareness,PostMessageW,memset,PostQuitMessage,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,EventUnregister,CloseHandle,EventUnregister,UnhookWinEvent,LocalFree,CloseHandle,RoUninitialize,37_2_00007FF66A2972C8
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958507C SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDevicePropertyW,RegQueryValueExW,DefineDosDeviceW,GetLastError,RegSetValueExW,GetLastError,27_2_00007FF7B958507C
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636987810 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,16_2_00007FF636987810
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EE34B GetStartupInfoW,GetVersionExW,_FF_MSGBANNER,_FF_MSGBANNER,GetCommandLineA,20_2_00007FF6CE1EE34B
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F1B64 memset,GetModuleHandleW,LoadStringW,LocalAlloc,GetUserNameExW,GetLastError,LocalAlloc,LocalFree,LocalFree,WindowsDeleteString,WindowsDeleteString,GetUserNameExW,wcschr,WindowsCreateString,WindowsDeleteString,WindowsCreateString,WindowsDeleteString,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,WindowsIsStringEmpty,WindowsIsStringEmpty,WindowsCreateStringReference,RaiseException,RoActivateInstance,RaiseException,WindowsCreateStringReference,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,GetSystemTimeAsFileTime,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,WindowsCreateStringReference,RaiseException,24_2_00007FF79A6F1B64
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF6369847F9 RpcBindingFree,16_2_00007FF6369847F9
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF63698459C memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,16_2_00007FF63698459C
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636984932 RpcBindingFree,16_2_00007FF636984932
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636984730 NdrClientCall3,RpcBindingFree,16_2_00007FF636984730
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636984868 NdrClientCall3,RpcBindingFree,16_2_00007FF636984868
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E3F90 RpcBindingFree,20_2_00007FF6CE1E3F90
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E1FE0 GetCurrentProcess,OpenProcessToken,GetLastError,RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcServerInqBindingHandle,RpcServerInqCallAttributesW,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,GetSidSubAuthority,GetSidSubAuthority,CloseHandle,CloseHandle,LocalFree,LocalFree,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW,20_2_00007FF6CE1E1FE0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E3FE0 RpcBindingFree,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExW,RpcBindingFree,RpcStringFreeW,20_2_00007FF6CE1E3FE0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1CD87C RegisterTraceGuidsW,HeapSetInformation,GetLastError,CreateMutexW,GetLastError,GetLastError,CreateMutexW,GetLastError,GetLastError,CoInitializeEx,GetModuleHandleW,SetProcessShutdownParameters,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetSystemMetrics,RpcMgmtWaitServerListen,WTSLogoffSession,CoUninitialize,UnregisterTraceGuids,CloseHandle,20_2_00007FF6CE1CD87C
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E1DF0 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,20_2_00007FF6CE1E1DF0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E3630 SetPropW,RpcBindingFree,20_2_00007FF6CE1E3630
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3578 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree,24_2_00007FF79A6F3578
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3020 memset,RpcBindingFree,GetAncestor,EnableWindow,CloseHandle,RpcAsyncInitializeHandle,Ndr64AsyncClientCall,EnableWindow,LocalFree,24_2_00007FF79A6F3020
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A9180 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,27_2_00007FF7B95A9180
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958B1A4 AllocateAndInitializeSid,GetCurrentProcessId,ProcessIdToSessionId,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateEventW,GetLastError,27_2_00007FF7B958B1A4
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A64D0 GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcServerListen,27_2_00007FF7B95A64D0
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A9370 RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,CloseHandle,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW,27_2_00007FF7B95A9370
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958AF50 RpcBindingInqAuthClientW,RpcImpersonateClient,RpcRevertToSelf,27_2_00007FF7B958AF50

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1Native API1Application Shimming1Application Shimming1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution1Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1LSASS MemoryPeripheral Device Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsCommand and Scripting Interpreter2Windows Service3Access Token Manipulation11Obfuscated Files or Information3Security Account ManagerAccount Discovery1SMB/Windows Admin SharesInput Capture11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsService Execution2Logon Script (Mac)Windows Service3Software Packing2NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptProcess Injection312Timestomp1LSA SecretsSystem Information Discovery45SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsQuery Registry2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncSecurity Software Discovery41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion1Proc FilesystemVirtualization/Sandbox Evasion1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation11/etc/passwd and /etc/shadowProcess Discovery2Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRundll321Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492437 Sample: K7dGM0P0yz Startdate: 28/09/2021 Architecture: WINDOWS Score: 96 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 2 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 2 67 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\WINSTA.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\I0o\dwmapi.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\Fox\dxva2.dll, PE32+ 19->37 dropped 39 21 other files (2 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 rdpclip.exe 19->25         started        27 bdechangepin.exe 19->27         started        29 wlrmdr.exe 19->29         started        31 13 other processes 19->31 signatures8 process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            K7dGM0P0yz.dll62%VirustotalBrowse
            K7dGM0P0yz.dll66%MetadefenderBrowse
            K7dGM0P0yz.dll78%ReversingLabsWin64.Infostealer.Dridex
            K7dGM0P0yz.dll100%AviraTR/Crypt.ZPACK.Gen

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\I0o\dwmapi.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\vh7jtu\WINSTA.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\Fox\dxva2.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\I0o\dwmapi.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\I0o\dwmapi.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\1DwRown1P\wextract.exe1%VirustotalBrowse
            C:\Users\user\AppData\Local\1DwRown1P\wextract.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\1DwRown1P\wextract.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            30.2.AgentService.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            32.2.dccw.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.2.rdpinit.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.2.rdpclip.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            34.2.dpapimig.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            24.2.wlrmdr.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            37.2.GamePanel.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            16.2.bdechangepin.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            8.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://mixer.com/api/v1/oauth/xbl/loginGamePanel.exefalse
              		high
              https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRawGamePanel.exefalse
                		high
                https://aka.ms/imrx2oGamePanel.exefalse
                  		high
                  https://mixer.com/_latest/assets/emoticons/%ls.pngGamePanel.exefalse
                    		high
                    https://mixer.com/api/v1/users/currentGamePanel.exefalse
                      		high
                      https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimediaGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                        		high
                        https://mixer.com/api/v1/broadcasts/currentGamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                          		high
                          https://mixer.com/%wsWindows.System.LauncherGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                            		high
                            https://aka.ms/v5do45GamePanel.exefalse
                              		high
                              https://mixer.com/api/v1/types/lookup%wsGamePanel.exefalse
                                		high
                                https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/AugmenthGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                  		high
                                  https://aka.ms/wk9ocdGamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                    		high
                                    https://MediaData.XboxLive.com/broadcasts/AugmentGamePanel.exefalse
                                      		high
                                      https://aka.ms/imfx4kGamePanel.exefalse
                                        		high
                                        https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameDGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        https://MediaData.XboxLive.com/gameclips/AugmentGamePanel.exefalse
                                          		high
                                          https://www.xboxlive.comGamePanel.exefalse
                                            		high
                                            https://mixer.com/api/v1/channels/%dGamePanel.exefalse
                                              		high
                                              https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/vGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                                		high
                                                https://mixer.com/api/v1/channels/%wsGamePanel.exefalse
                                                  		high
                                                  https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamCGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                                    		high
                                                    https://MediaData.XboxLive.com/screenshots/AugmentGamePanel.exefalse
                                                      		high
                                                      https://mixer.com/api/v1/chats/%.0fGamePanel.exefalse
                                                        		high
                                                        https://aka.ms/ifg0esGamePanel.exefalse
                                                          		high
                                                          https://mixer.com/%wsGamePanel.exefalse
                                                            		high
                                                            https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTINGGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                                              		high
                                                              https://aka.ms/w5ryqnGamePanel.exefalse
                                                                		high

                                                                Contacted IPs

                                                                No contacted IP infos

                                                                General Information

                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                Analysis ID:492437
                                                                Start date:28.09.2021
                                                                Start time:17:50:05
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 17m 2s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Sample file name:K7dGM0P0yz (renamed file extension from none to dll)
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:40
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal96.troj.evad.winDLL@54/25@0/0
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 13.4% (good quality ratio 10.2%)
                                                                • Quality average: 49.7%
                                                                • Quality standard deviation: 37.9%
                                                                HCA Information:Failed
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Override analysis time to 240s for rundll32
                                                                • Stop behavior analysis, all processes terminated
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 20.50.102.62, 23.211.5.146, 23.211.6.115, 20.82.209.183, 8.248.113.254, 8.248.131.254, 8.253.145.105, 8.248.141.254, 8.248.115.254, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.210.154, 13.107.253.254, 13.107.3.254, 204.79.197.200, 13.107.21.200, 52.113.196.254
                                                                • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, fg.download.windowsupdate.com.c.footprint.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, e12564.dspb.akamaiedge.net, teams-9999.teams-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, t-ring.msedge.net, s-ring.s-9999.s-msedge.net, ris.api.iris.microsoft.com, t-9999.fb-t-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, s-9999.s-msedge.net, e16646.dscg.akamaiedge.net, teams-ring.teams-9999.teams-msedge.net, t-ring.t-9999.t-msedge.net, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtEnumerateKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASN

                                                                No context

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.53691452928469
                                                                Encrypted:false
                                                                SSDEEP:12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:DF5AED1E7334B5161F7CC73BDE5E762F
                                                                SHA1:6D2D5D355A25AA4DE95A15BD3FE0AF7EEEB30BDB
                                                                SHA-256:BB5955DB9B52EFEC9203BFEBB6C7E454DB3BB5467A44CB8C193F886264E0952F
                                                                SHA-512:4AF3794C0FE0E2A93A2809F17927D08A9C089F4B673B06FC9D3F9AACC887AE94C1543F0C1F3B0BEDEA4EF0820E3C61EC64DAC4D7631E4AEE396E93D2B12FACE3
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\1DwRown1P\wextract.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):143872
                                                                Entropy (8bit):6.942627183104786
                                                                Encrypted:false
                                                                SSDEEP:3072:0BuGag041hcWp1icKAArDZz4N9GhbkUNEk95l:5hudp0yN90vE
                                                                MD5:ED93B350C8EEFC442758A00BC3EEDE2D
                                                                SHA1:ADD14417939801C555BBBFFAF7388BD13DE2DE42
                                                                SHA-256:ABD6D466E30626636D380A3C9FCC0D0B909C450F8EA74D8963881D7C46335CED
                                                                SHA-512:7BA8D1411D9AEE3447494E248005A43F522CA684839FCD4C4592946B12DC4E73B1FF86D8E843B25A73E3F2463955815470304E4F219B36DBC94870BEBF700581
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Virustotal, Detection: 1%, Browse
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............`.......`.......`.......`..........,....`.......`0......`......Rich............................PE..d...._.{.........."......r...........w.........@.....................................R....`.......... .......................................................................... .......T............................................... ............................text....q.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............0..............@..B................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1511424
                                                                Entropy (8bit):5.896383458119775
                                                                Encrypted:false
                                                                SSDEEP:12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ19EBO:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:EE78A2DF136C664229F3326713DC7EE1
                                                                SHA1:886634C1499AAB4A18515FFB4C4B3E80EF5F07F8
                                                                SHA-256:C563D23DBEB6BBC8364A8600B1D69240FCF450AE8107789320AB3A76149B087B
                                                                SHA-512:6173C76A3E5528D9F9430886D5F60CF877D50EA8343C2F37EF39BCA65EC1CE762E3987A26F8BE735424CC987B89E8F9B9004D5C2C9ECF9746C05DF6D995528A0
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):369664
                                                                Entropy (8bit):6.503464732962775
                                                                Encrypted:false
                                                                SSDEEP:6144:so87gEZlHVxHEVHHHQVb1kHVqHVqHQQbTuTRTHTfTEHVf2XTQT6TITQT+VyW1727:1H+S+
                                                                MD5:013D00A367D851B0EC869F209337754E
                                                                SHA1:240B731FAA42E170511C1D0676B3ADE76712451B
                                                                SHA-256:3D0BFED2F2A17FA8246634FDA7162A1BE56DDB3080519BCEFEAFD69FBC7F2FE1
                                                                SHA-512:BD55925D3EC097FDD713A6847F69005C7B1007DBFAEAAFD02B0B23567F81C5721B4BFAF6A87DB1E94F4D71D6CC5E23AA31C443FD9030BD2D630489E9E7360662
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j..9..9..9.8..9.8..9.8..9.8..9..9..9.8..9.8..9.k9..9.8..9Rich..9........................PE..d...l..`.........."......r...4......0t.........@..........................................`.......... ..................................T...4........@..X....0..|.......................T............................................................................text....q.......r.................. ..`.rdata..v............v..............@..@.data........ ......................@....pdata..|....0......................@..@.rsrc...X....@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Fox\dccw.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):657920
                                                                Entropy (8bit):7.269727423438011
                                                                Encrypted:false
                                                                SSDEEP:12288:Nj8lLdFv9GOhS/IzJqrraq/t2qXy6xdRhMA:l8xdFAGS/EEn/tkI
                                                                MD5:341515B9556F37E623777D1C377BCFAC
                                                                SHA1:B0D81F3BCBEAECDFA77DBACE763A07629B9CC2EB
                                                                SHA-256:47DD54A2FDB59C1FB69EA8610CD83E2434F435C56A5FE62E67D0F98B3101A49D
                                                                SHA-512:3639A898B9C636360700325BA3F7F34346AF2A17628C82F23E68074CEB08014D63F42F05D7758B8D0EC0B872EE7098BC10065D338BAF243837937B9648053249
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.O.*HO.*HO.*HF..HM.*H .)IL.*H ..I[.*H ./II.*H .+IV.*HO.+H..*H .#Id.*H ..HN.*H .(IN.*HRichO.*H........................PE..d...U.|...........".................0..........@.............................P......$P....`.......... ......................................PV..................x............@.......I..T........................... $.............. %...............................text...Q........................... ..`.rdata...`.......b..................@..@.data................Z..............@....pdata..x............`..............@..@.rsrc................n..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Fox\dxva2.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.542172636035629
                                                                Encrypted:false
                                                                SSDEEP:12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:7F28477F617456F9929FB3541D746401
                                                                SHA1:045763F7973993958B1C2267353544F47DD6E599
                                                                SHA-256:341334FA5B1458456B116C4CE98EE1916AB5DF228214036E2B456F952311CBF4
                                                                SHA-512:E2FEC3F3122698A7214A696C68027CBCDF8C99D5789C15F7FD5B091052E70F1B65D34F16BD33622157412666569C9DC9C139329A7D90518B82A92AA37E4DD30B
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\I0o\dwmapi.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.543714406979621
                                                                Encrypted:false
                                                                SSDEEP:12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:0818E1DEC9E4CE0B7A3A4FC491BED4AD
                                                                SHA1:DDF3EA43D0476D832810836E97B927CECE6A790E
                                                                SHA-256:ABEA917358081962151976C8452C1CC9DDEB31AB7DAAF984CF0E3D0EACAC9451
                                                                SHA-512:01FE9B3C732CE2B894DB133BB90B0CA67BCDC566D6D112E2699EA30F1DE5227571AD8427D55A2D73EFB4CBDB75AB167E6E02DF441E83B1D917D8B1962E63BACC
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\I0o\rdpclip.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):417280
                                                                Entropy (8bit):6.35897604208479
                                                                Encrypted:false
                                                                SSDEEP:12288:gchwbB56CegxMQkCUWtz4vlMqTLMCPSZ4jxALjK+5zBQ:ZwbB56MxMQkCUWtz4vlMqHtDjxALz
                                                                MD5:1690E3004F712C75A2C9FF6BCDE49461
                                                                SHA1:306498E9A9F1C6B2813DAD7CDCD8433139201794
                                                                SHA-256:10675ECAC736BF3FA5175330EF22D3F1E252A698072C58CBA3DE0A208E751FB2
                                                                SHA-512:1783E724B83C02647E79D3591839F85868393464542854855F1F42C4E142A5846EBF71343FE2B9284A61FD42C471886FF058E7956A434A0F4938C267C2ED676C
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...........h(.....t......t......t......t.............t.......tD.....t.....Rich............PE..d....v5..........."............................@....................................v.....`.......... ......................................p...|.......(........*..................@...T....................;..(....:...............;...............................text............................... ..`.rdata..............................@..@.data....Y...0......................@....pdata...*.......,..................@..@.rsrc...(............D..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\YRu8\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1511424
                                                                Entropy (8bit):5.896660376124476
                                                                Encrypted:false
                                                                SSDEEP:12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1IsO:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:3F27811A36A5760C80B6B666978726B7
                                                                SHA1:D00C621692F2B080DFEEE144CD44B93FA030D502
                                                                SHA-256:982771F1FD4E745E1F29EF571F364EF7A693DAB2460E5FE11068E1F35793AE10
                                                                SHA-512:04E1DB29A2E6552EB1A2838CAA2E29E8DBC7B4BB609085AD2153843172C341B1CF1335E112AACCD352B0827C1BA08B69C018CC739D45BBA5C1BDC03F24D19B6D
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):65704
                                                                Entropy (8bit):5.834154867756865
                                                                Encrypted:false
                                                                SSDEEP:1536:B14+6gGQ7ubZiQ+KytHIyObsvqr9PxDt8PcPs:QgGIu1iFtHJLu9ZDt8kU
                                                                MD5:4849E997AF1274DD145672A2F9BC0827
                                                                SHA1:D24E9C6079A20D1AED8C1C409C3FC8E1C63628F3
                                                                SHA-256:B43FC043A61BDBCF290929666A62959C8AD2C8C121C7A3F36436D61BBD011C9D
                                                                SHA-512:FB9227F0B758496DE1F1D7CEB3B7A5E847C6846ADD360754CFB900358A71422994C4904333AD51852DC169113ACE4FF3349520C816E7EE796E0FBE6106255AEF
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.s... ... ... .s\ ... .o.!... .o.!... .o.!... .o.!... ... t.. .o.!... .o0 ... .o.!... Rich... ........PE..d....2............"......4...........:.........@.............................@......b................P..................................................xg...............$...0.......y..T............................f...............g..x............................text....3.......4.................. ..`.imrsiv......P...........................rdata..J2...`...4...8..............@..@.data...h............l..............@....pdata...............n..............@..@.rsrc...xg.......h...r..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\eF0\AgentService.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1189376
                                                                Entropy (8bit):6.169931271903684
                                                                Encrypted:false
                                                                SSDEEP:24576:+pL4Q4y94x7ZWe6b1B5I2M62kM0s1vt2txc/viVO1IORNfLc:uL4Q3S9b6b1UA9MPwOR5c
                                                                MD5:F7E36C20DB953DFF4FDDB817904C0E48
                                                                SHA1:8C6117B5DD68D397FD7C32F4746FB9B353D5DAE5
                                                                SHA-256:2C5EDE0807D8A5EC4B6E0FE0C308B37DBBDE12714FD9ADC4CE3EF4E0A5692207
                                                                SHA-512:32333A33DECD1AF0915FFDC48DA99831DA345010A91630C5245F2548939E33157F6151F596C09D0BEEAC3F15F08F79D4EEF4FAA4158BA023DEDFC4F6F6F56DF8
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:K..[%M.[%M.[%M.?&L.[%M.? L.[%M.?!L.[%M.?$L.[%M.[$M.Z%M.?,L.[%M.?.M.[%M.?'L.[%MRich.[%M........................PE..d...m.>l.........."..........B.................@.....................................=....`.......... ...............................................P.. ........x...........`..`...p-..T...................pI..(...pH...............I...............................text...L........................... ..`.rdata..| ......."..................@..@.data...@....@...r..."..............@....pdata...x.......z..................@..@.rsrc... ....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\eF0\VERSION.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.536934052743529
                                                                Encrypted:false
                                                                SSDEEP:12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:219B93338FA30EB02E7451F508CFA0B1
                                                                SHA1:6BBA18D636CAE803886B79067C411C03444E7592
                                                                SHA-256:35C8F18CCB9FCE67FDD3B66656106C2009A173DE3D369B1242DFB33E76835E90
                                                                SHA-512:E5039FC22455C5107C9F70C2669A2B004930263D08F852BE77AD91C3C8362C967D215434730930D074A96CC8C0C80A21AF1C8FA9982CD8E061DE5E36E62B47B8
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\exotc\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1511424
                                                                Entropy (8bit):5.896421125435813
                                                                Encrypted:false
                                                                SSDEEP:12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1RlO:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:B912502E1D3911B150786E6C32B98EAC
                                                                SHA1:12A12E5E06C930F06FA21D33112811F84C2FB8F9
                                                                SHA-256:83BECCAB2D4301D50C24E8589DEDFA1A399E3793C1FAAB7C653634B19B237922
                                                                SHA-512:9D5CAC7A3ED29F165BCEA8BEE5C1D9B0EF88E7D925C8A8356F24F092D75081C4502836CFD275854A168684B6F07D7E0782C520B968287F150B8C7D0D38C286E5
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\exotc\osk.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):622592
                                                                Entropy (8bit):5.333446181330722
                                                                Encrypted:false
                                                                SSDEEP:6144:ejoj2QDVJc1OcvH3AdKy9HGeofJgDEvr6slnCUGw/xIRLtxIRLuovZ:koj2UjmNwzaoo
                                                                MD5:88B09DE7D0DF1D2E9BCA9BAE1346CB23
                                                                SHA1:83EEE4D2BF315730666763D7FA36A584224CA7EC
                                                                SHA-256:7AC4B734A31AC4C29CCC53B7433773911CA46E1063A8B0F033AB9027D3427342
                                                                SHA-512:38DD3F5A9C60D242AD9BECE1407CBB007ED8A50A1844B9A4378ADB17AAAF0FEDB6A9D1E04642D49560717958A12E668A9A3CDD4484BD049509A89AC2EEB9E478
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=L..y-..y-..y-...I..z-...I..`-...I...-...I..\-..y-...,...I..[-...Id.x-...I..x-..Richy-..................PE..d.....%Z.........."......n...........i.........@....................................E.....`.......... ..........................................h....P...U...@..................`.......T...............................................x............................text....m.......n.................. ..`.rdata..............r..............@..@.data........ ......................@....pdata.......@......................@..@.rsrc....U...P...V...(..............@..@.reloc..`............~..............@..B........................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1292288
                                                                Entropy (8bit):6.159394598062476
                                                                Encrypted:false
                                                                SSDEEP:24576:tg6uRV8QrFa8Zdntp/LEz2INhgITVXTvlHQroF:tgJVbFaqtpDEznyQVjvZQroF
                                                                MD5:4EF330EFAE954723B1F2800C15FDA7EB
                                                                SHA1:3E152C0B10E107926D6A213C882C161D80B836C9
                                                                SHA-256:0494166D4AE6BB7925E4F57BB6DFAC629C95AE9E03DFC925F8232893236BD982
                                                                SHA-512:C122CD7A245EF6A6A7B7DECAB6500BDC11E4C57B8E35F8462CC0615E44E54071E6BF79B69BB8519470ACBAF0D2E62ABC45C38CBF0606261792EDB4A84790EC61
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.ur.`.!.`.!.`.!...!P`.!... .`.!... .`.!... 4`.!... 9`.!.`.!de.!... .`.!...!.`.!...!.`.!... .`.!Rich.`.!........PE..d................"......H..........0..........@.............................@....................... ...................................................u......`................:..p...T....................@..(...pp..............8@..H... ...@....................text....F.......H.................. ..`.imrsiv......`...........................rdata......p.......L..............@..@.data...............................@....pdata..`............~..............@..@.didat.......p......................@....rsrc....u.......v..................@..@.reloc...:.......<...|..............@..B................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\hIiDwtvg\dwmapi.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.543680531167794
                                                                Encrypted:false
                                                                SSDEEP:12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:000F0121D8502FB399215991CBE04E33
                                                                SHA1:4AFC45A9A8550F5F38E3181EB07909FC0CF0EA42
                                                                SHA-256:9EACC38B33ED6655A84D208A4778AF869CB506983FF9D93060D005A5A1077598
                                                                SHA-512:55909517C46141816AABF9BF3EBBA9E85D5F0AB4F07A16E3538DB0450BE52B59DA92AF3C319EF599FB3857A001A8BECFEDF967178604F43BEA5CB2EFBE916D59
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\hJetkV\dwmapi.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.543687120385596
                                                                Encrypted:false
                                                                SSDEEP:12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:37AB4714A1A9BE575D9EE2137ECE608B
                                                                SHA1:B7ECAD662ABAD3A2BCE683C956F17ABC23768581
                                                                SHA-256:36BB67D5D7B0F3610578F45D3262BF6E4BAF8F7FF48EB7A019D84EA8885E996E
                                                                SHA-512:12C5CA5E762FE63C6A66D5F45A4234A0E1CED08A768EBCB24B0ED82A4B28AD707D50D721C666DB80A6F225DB4ACCC57478082A319480A4C082BDA376FD78D287
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):327168
                                                                Entropy (8bit):6.414070673036673
                                                                Encrypted:false
                                                                SSDEEP:6144:fOzsB7eGjsO+VxyQ/qY4gCJkxkVPXqdzVxNwK3S3drxhUS4eMZfCZc/o:fOzsB7eGjb+VxynJkxkZ6dzV63drxhlF
                                                                MD5:EF7C9CF6EA5B8B9C5C8320990714C35D
                                                                SHA1:9CBD44DE4761F9383F2E0352035D52B86ECE80C2
                                                                SHA-256:0FD9B6C366E042ED83BFC53C5EA1AAF43F13F53D97F220B5571681BB766C33FA
                                                                SHA-512:C2F5E902DF725BC05F03052042767635689A35226CA1C3436ADF4835C57666B3E815FD386B80517734AC3B71F2FB15E48CE2F6739D669B5F68F4A8989713E8FC
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.....S...S...S.j.S...S.v.R...S.v.R...S.v.R...S.v.R...S...S...S.v.R...S.vmS...S.v.R...SRich...S................PE..d...q............"..........f...... ..........@.............................p......+................ ..........................................@....@..........d ...........`..x.......T............................................................................text...<........................... ..`.imrsiv..................................rdata..............................@..@.data....:..........................@....pdata..d ......."..................@..@.rsrc........@......................@..@.reloc..x....`......................@..B........................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\qe7nfWB\VERSION.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.536953957276552
                                                                Encrypted:false
                                                                SSDEEP:12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:A68FC5717015D2B4DC19B2540F8AE853
                                                                SHA1:9977CB586D84D9CAFA160B5A85A24D69AC90F0F7
                                                                SHA-256:9A6904E378CE6177B4EEE9418A5FB4A819C8DD4BD9B2120D4E9CC8B7AE2BB970
                                                                SHA-512:9727F063DAB4C35D377683095FD1E792DCF6B353CC8F00EF04C8C9FF34096D74DE4BE06356AFD3D4D46B4108100E536F4FB946D93AACE124506F3EA4E4DE7F91
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\qe7nfWB\systemreset.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):506184
                                                                Entropy (8bit):6.340311139921773
                                                                Encrypted:false
                                                                SSDEEP:6144:5el0JVJ8W9WUYEBaH2+8yafsjs3hXx6EfjZTheegL57KUgQGEEEsND0ZCYWh9Aig:UCVRAlEBgKyiv3V2e+X
                                                                MD5:872AE9FE08ED1AA78208678967BE2FEF
                                                                SHA1:846E6D44FBD2A5B9AC53427300B71D82355C712E
                                                                SHA-256:457EA0477CB26432088F4EB910CFFBCBFA597EF65D63E9DB9109ED8529C902D4
                                                                SHA-512:5235DEC4BA556975B07B22729D1ECB0FB513D15D58DB94737B0B8B25AB4C629255B4EA2D8B6854DB53F0E79C3EE7B742850C5C604A0BE04B1C251216A395A427
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|..n/..n/..n/.../..n/..m...n/..j...n/..k...n/..o...n/..o/|.n/..g.Q.n/../..n/..l...n/Rich..n/........PE..d....3.b..........".................@..........@....................................F................ .......................................h..|...............|.......H3..............T....................6..(....5...............7..P............................text............................... ..`.imrsiv..................................rdata...|.......~..................@..@.data....)...........p..............@....pdata..|...........................@..@.rsrc...............................@..@.reloc...............|..............@..B................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\rdM8VQT\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1511424
                                                                Entropy (8bit):5.896665120315234
                                                                Encrypted:false
                                                                SSDEEP:12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1cDO:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:C4AD4584D4CBBC387737C8EF59DB767A
                                                                SHA1:0AC719E2C31FA65190897EE6A1F4C052834647E8
                                                                SHA-256:08DC291C1867F79B4E24845092D9D8D97ECA19EC7A50436992A00A30FF8A92F5
                                                                SHA-512:5D68EF2434EC9615DF92433DB00A71081F46CD8D0393BA9F2F51F9CDE795233F8C76C40500403A94CAC7C5F44633C1E42151D8628BBC87C141BA4C181D9DEB0C
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):76800
                                                                Entropy (8bit):5.908989367752963
                                                                Encrypted:false
                                                                SSDEEP:1536:CzbG9gXEurcYIZh800l3uU1HIED1fCbWpygzU:obezur2hrSJj16bE
                                                                MD5:EE7DB7B615B48D8F9F08FAE70CAF46D7
                                                                SHA1:FB5021297FDF24000ADD478164EEC8048871B335
                                                                SHA-256:7999B821F8A673B0528C8F5F72A68A61393BEF78785FC1B4A0B3938D8CDD14B8
                                                                SHA-512:F2292577166A330409813215DD49F2A276739AB51621316FBD418A377F4FD2476E50720A88F3069D16146E5C57DF47B21D800089EE48B28158BCBCFE3B6776AB
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............nx..nx..nx......nx...{..nx...|..nx...}..nx...y..nx..ny..nx...q..nx......nx...z..nx.Rich.nx.................PE..d...Y............."......"..........@'.........@....................................+.....`.......... .......................................L..........@....................p..P....H..T............................@...............A...............................text.... .......".................. ..`.rdata... ...@..."...&..............@..@.data........p.......H..............@....pdata...............J..............@..@.rsrc...@............L..............@..@.reloc..P....p.......*..............@..B................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):29184
                                                                Entropy (8bit):5.483991269470949
                                                                Encrypted:false
                                                                SSDEEP:384:x1i6wkbsVQCy+MmItEV3DAOnKjXxyWzyWpaTeinj7qHk9FyMWagW:x1TwgsmCRMmIcTRnKbQW/kj7uk2U
                                                                MD5:DA88A7B872B1A52F2465D12CFBA4EDAB
                                                                SHA1:8421C2A12DFF33B827E8A6F942C2C87082D933DB
                                                                SHA-256:6A97CF791352C68EFFEFCBE3BB23357A76D93CB51D08543ED993210C56782627
                                                                SHA-512:CA96D8D423235E013B228D05961ED5AA347D25736F8DFC4C7FEB81BFA5A1193D013CD29AA027E1793D6835E52F6557B3491520D56DE7C09F0165F1D5C8FD9ED8
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......& ..bA..bA..bA..k9..`A...%..cA...%..`A...%..pA...%..uA..bA...A...%..hA...%p.cA...%..cA..RichbA..........PE..d...?.1V.........."......6...>...... =.........@.....................................f....`.......... ......................................4k.......................................f..T............................U...............V...............................text....4.......6.................. ..`.rdata...'...P...(...:..............@..@.data................b..............@....pdata...............d..............@..@.rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\vh7jtu\WINSTA.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1232896
                                                                Entropy (8bit):5.5551816370972045
                                                                Encrypted:false
                                                                SSDEEP:12288:AVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1v:lfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:E65B52DA0196CE4DFFEB0EAF2709D358
                                                                SHA1:9B6CF7C801A308E90E5234DAEA3C88F285FBA91D
                                                                SHA-256:E643B94BBD4E5AE7C74339BA091C251096A9FC3D52C792B455422AA46CAB3098
                                                                SHA-512:19F01E0182D21D0D78649989F36BF28A4D67A77D704FCCD2C88379E43E1116E8A08291CBAB95D7A7692BE7EAFAAF14C8141C883EBD8F50B7CC82732C75E854E7
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):4442
                                                                Entropy (8bit):5.475959740413491
                                                                Encrypted:false
                                                                SSDEEP:96:j4jGRePj73FEnphe4jGRdreVYD565JoabRZ:05Pjk4H96oa1Z
                                                                MD5:3F9721680F66E36E4A6E8F8943387C63
                                                                SHA1:7295E4A2AA39178F6E45BE13C169C3F46F1E2EAC
                                                                SHA-256:0AD67AE38A272E05DCC1A3C7E10DF68FA2A98E7878F4F17AD6B9F9BE2C31E090
                                                                SHA-512:6F526FBB57DA6725B73AE6B1979BE8D36D2E26D5BB984306DF224679CCDE57DE7C9A1818B8A7215AB74191B154D30084622B787EE9FAEB0B790A6E00DEF7A3FE
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: ........................................user.........................................user.....................RSA1................a..C..=..[$'......Z..p.....PD]]B..5.....8..Y....&....J...n....4.Pn@...M../.=...G?.....|.......S"I....'e..`=z/...[.m8.Ffm......................z..O......@....A....T.r....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...|.....8 e..6,..lG".X...e....UR............ ..........X.a..w.JG^..$..[%.&..&.............+.V6,X..N+.lJd.&.%.Z.B.(.V/PO0..l`u"...V'.i.2#h...<.l...Y.n.~gCVn#Mh.mn....,..;..L.Tfl...E..3..y=.x.j..JA..]..q@......:0.l7.P.o.g...b.18U6......`.g$[.o?. .v.a...... ...?p.kt.../..#"......^k.U.:(....l..S%..bmMPu..m..`.....w.......1."...r;.-..=&#..Oz.. ...UJ5.=...O@...........}.qP...<.s9.@.B9....$.....^{.1.K.C..0..U....O.n...M.....2D5..Q'.kt.v...4.-$.QR...SK...e)O/..d.g...",`.........(h...[i7...1.....f.?.N.7.|....k..}TX...`.o5"......<....|..1.I.v.:.9....9r-e..k.Uj7KNMZ9.7C.CM..U..q..w..^....z.'..d...

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Entropy (8bit):5.561077097847572
                                                                TrID:
                                                                • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                • Win64 Executable (generic) (12005/4) 10.17%
                                                                • Generic Win/DOS Executable (2004/3) 1.70%
                                                                • DOS Executable Generic (2002/1) 1.70%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                File name:K7dGM0P0yz.dll
                                                                File size:1224704
                                                                MD5:2955d4759afce09a41c1df5b108f0287
                                                                SHA1:11e277c3c987b4119909dd099a5f901e074698e3
                                                                SHA256:97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070
                                                                SHA512:1cb1adb483d7652ac7c41fc471612d9ee14415763c753e269645a97917050cf1e144daa679f09714a29b9d00d6234606eed407c9735c0d4bb3bfe12ca9b74a80
                                                                SSDEEP:12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

                                                                File Icon

                                                                Icon Hash:74f0e4ecccdce0e4

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x140041070
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x140000000
                                                                Subsystem:windows cui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:0
                                                                File Version Major:5
                                                                File Version Minor:0
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:0
                                                                Import Hash:6668be91e2c948b183827f040944057f

                                                                Entrypoint Preview

                                                                Instruction
                                                                dec eax
                                                                xor eax, eax
                                                                dec eax
                                                                add eax, 5Ah
                                                                dec eax
                                                                mov dword ptr [00073D82h], ecx
                                                                dec eax
                                                                lea ecx, dword ptr [FFFFECABh]
                                                                dec eax
                                                                mov dword ptr [00073D7Ch], edx
                                                                dec eax
                                                                add eax, ecx
                                                                dec esp
                                                                mov dword ptr [00073D92h], ecx
                                                                dec esp
                                                                mov dword ptr [00073DA3h], ebp
                                                                dec esp
                                                                mov dword ptr [00073D7Ch], eax
                                                                dec esp
                                                                mov dword ptr [00073D85h], edi
                                                                dec esp
                                                                mov dword ptr [00073D86h], esi
                                                                dec esp
                                                                mov dword ptr [00073D8Fh], esp
                                                                dec eax
                                                                mov ecx, eax
                                                                dec eax
                                                                sub ecx, 5Ah
                                                                dec eax
                                                                mov dword ptr [00073D89h], esi
                                                                dec eax
                                                                test eax, eax
                                                                je 00007F237894548Fh
                                                                dec eax
                                                                mov dword ptr [00073D45h], esp
                                                                dec eax
                                                                mov dword ptr [00073D36h], ebp
                                                                dec eax
                                                                mov dword ptr [00073D7Fh], ebx
                                                                dec eax
                                                                mov dword ptr [00073D70h], edi
                                                                dec eax
                                                                test eax, eax
                                                                je 00007F237894546Eh
                                                                jmp ecx
                                                                dec eax
                                                                add edi, ecx
                                                                dec eax
                                                                mov dword ptr [FFFFEC37h], ecx
                                                                dec eax
                                                                xor ecx, eax
                                                                jmp ecx
                                                                retn 0008h
                                                                ud2
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                push ebx
                                                                dec eax
                                                                sub esp, 00000080h
                                                                mov eax, F957B016h
                                                                mov byte ptr [esp+7Fh], 00000037h
                                                                mov edx, dword ptr [esp+78h]
                                                                inc ecx
                                                                mov eax, edx
                                                                inc ecx
                                                                or eax, 5D262B0Ch
                                                                inc esp
                                                                mov dword ptr [esp+78h], eax
                                                                dec eax
                                                                mov dword ptr [eax+eax+00h], 00000000h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [LNK] VS2012 UPD4 build 61030
                                                                • [ASM] VS2013 UPD2 build 30501
                                                                • [ C ] VS2012 UPD2 build 60315
                                                                • [C++] VS2013 UPD4 build 31101
                                                                • [RES] VS2012 UPD3 build 60610
                                                                • [LNK] VS2017 v15.5.4 build 25834
                                                                • [ C ] VS2017 v15.5.4 build 25834
                                                                • [ASM] VS2010 build 30319
                                                                • [EXP] VS2015 UPD1 build 23506
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [RES] VS2012 UPD4 build 61030
                                                                • [LNK] VS2012 UPD2 build 60315
                                                                • [C++] VS2015 UPD1 build 23506
                                                                • [ C ] VS2013 UPD4 build 31101

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x12a0100x9bd.sow
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rdata0x420000x64fcb0x65000False0.702262047494data7.86510283498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .wnx0x10e0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .weqy0x10f0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .yby0x1100000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .ormx0x1120000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .dhclu0x1130000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .xmiul0x1140000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tlwcxe0x1150000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .get0x1160000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .hzrd0x1170000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .qzu0x1190000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .nhglos0x11a0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .itzo0x11b0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .nmsaom0x11c0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .mas0x11d0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .ldov0x11e0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .bwslm0x11f0000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .gfceb0x1200000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .nojmwb0x1220000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .naznun0x1230000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .iyfv0x1240000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .iqae0x1250000xf90x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .zco0x1260000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .kqpcjh0x1270000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .unbzj0x1280000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tcuit0x1290000x3ba0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .sow0x12a0000x9cd0x1000False0.32421875data4.01791151215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0xc00a00x370dataEnglishUnited States
                                                                RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                Imports

                                                                DLLImport
                                                                USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
                                                                SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
                                                                KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
                                                                GDI32.dllCreateBitmapIndirect, GetPolyFillMode
                                                                CRYPT32.dllCertGetCTLContextProperty
                                                                ADVAPI32.dllAddAccessDeniedObjectAce
                                                                SHLWAPI.dllChrCmpIW

                                                                Exports

                                                                NameOrdinalAddress
                                                                BeginBufferedAnimation370x140010604
                                                                BeginBufferedPaint380x140040dbc
                                                                BeginPanningFeedback50x140029098
                                                                BufferedPaintClear390x14003e6d4
                                                                BufferedPaintInit400x14002f964
                                                                BufferedPaintRenderAnimation410x14001ac64
                                                                BufferedPaintSetAlpha420x1400416a0
                                                                BufferedPaintStopAllAnimations510x140021ef8
                                                                BufferedPaintUnInit520x140013340
                                                                CloseThemeData530x1400071d8
                                                                DrawThemeBackground540x140002540
                                                                DrawThemeBackgroundEx470x140008170
                                                                DrawThemeEdge550x140002bec
                                                                DrawThemeIcon560x14004013c
                                                                DrawThemeParentBackground570x1400116a4
                                                                DrawThemeParentBackgroundEx580x140020c0c
                                                                DrawThemeText590x140004e4c
                                                                DrawThemeTextEx700x14003d8e4
                                                                EnableThemeDialogTexture710x140008934
                                                                EnableTheming870x1400184cc
                                                                EndBufferedAnimation880x14001e940
                                                                EndBufferedPaint890x140035d68
                                                                EndPanningFeedback60x14000724c
                                                                GetBufferedPaintBits900x14001c854
                                                                GetBufferedPaintDC910x140035378
                                                                GetBufferedPaintTargetDC920x140038e14
                                                                GetBufferedPaintTargetRect930x1400105a8
                                                                GetCurrentThemeName940x1400183cc
                                                                GetThemeAppProperties950x14001db84
                                                                GetThemeBackgroundContentRect960x140008a34
                                                                GetThemeBackgroundExtent970x1400056f8
                                                                GetThemeBackgroundRegion980x14000ad6c
                                                                GetThemeBitmap990x14003d7a8
                                                                GetThemeBool1000x140001954
                                                                GetThemeColor1010x14001585c
                                                                GetThemeDocumentationProperty1020x140037a84
                                                                GetThemeEnumValue1030x14000bf08
                                                                GetThemeFilename1040x14000f3dc
                                                                GetThemeFont1050x14001390c
                                                                GetThemeInt1060x14003a2e8
                                                                GetThemeIntList1070x14000ce8c
                                                                GetThemeMargins1080x14003704c
                                                                GetThemeMetric1090x14003894c
                                                                GetThemePartSize1100x140026338
                                                                GetThemePosition1110x14001906c
                                                                GetThemePropertyOrigin1120x140006c60
                                                                GetThemeRect1130x14000ecc4
                                                                GetThemeStream1140x140025f68
                                                                GetThemeString1150x14000eed0
                                                                GetThemeSysBool1160x14000a234
                                                                GetThemeSysColor1170x14002f7a4
                                                                GetThemeSysColorBrush1180x14002dab0
                                                                GetThemeSysFont1190x1400236bc
                                                                GetThemeSysInt1200x140037f14
                                                                GetThemeSysSize1210x140006e28
                                                                GetThemeSysString1220x14001a14c
                                                                GetThemeTextExtent1230x140039e5c
                                                                GetThemeTextMetrics1240x1400167d8
                                                                GetThemeTransitionDuration1250x14000bf60
                                                                GetWindowTheme1260x14000ef70
                                                                HitTestThemeBackground1270x140019fb0
                                                                IsAppThemed1280x1400244d0
                                                                IsCompositionActive1290x14002dacc
                                                                IsThemeActive1300x14001acd0
                                                                IsThemeBackgroundPartiallyTransparent1310x140001130
                                                                IsThemeDialogTextureEnabled1320x140030c50
                                                                IsThemePartDefined1330x140004240
                                                                OpenThemeData1340x14000f430
                                                                OpenThemeDataEx610x140028da4
                                                                SetThemeAppProperties1350x1400278c4
                                                                SetWindowTheme1360x14000878c
                                                                SetWindowThemeAttribute1370x140025128
                                                                ThemeInitApiHook1380x14000a640
                                                                UpdatePanningFeedback120x14001de60

                                                                Version Infos

                                                                DescriptionData
                                                                LegalCopyright Microsoft Corporation. All rights reserv
                                                                InternalNamebitsp
                                                                FileVersion7.5.7600.16385 (win7_rtm.090713-
                                                                CompanyNameMicrosoft Corporati
                                                                ProductNameMicrosoft Windows Operating S
                                                                ProductVersion6.1.7600
                                                                FileDescriptionBackground Intellig
                                                                OriginalFilenamekbdy
                                                                Translation0x0409 0x04b0

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 28, 2021 17:50:54.242203951 CEST53646468.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:50:55.216106892 CEST6529853192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:50:55.238712072 CEST53652988.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:50:58.137361050 CEST5912353192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:50:58.159229994 CEST53591238.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:29.047678947 CEST5453153192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:29.073697090 CEST53545318.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:48.214468956 CEST4971453192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:48.234690905 CEST53497148.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:50.760689974 CEST5802853192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:50.780770063 CEST53580288.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:51.605859041 CEST5309753192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:51.629291058 CEST53530978.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:52.141052008 CEST4925753192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:52.161884069 CEST53492578.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:52.779175997 CEST6238953192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:52.799179077 CEST53623898.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:53.261821032 CEST4991053192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:53.283670902 CEST53499108.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:53.481460094 CEST5585453192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:53.510181904 CEST53558548.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:53.777473927 CEST6454953192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:53.820067883 CEST53645498.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:54.341542006 CEST6315353192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:54.360327959 CEST53631538.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:55.436522961 CEST5299153192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:55.456087112 CEST53529918.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:56.204061031 CEST5370053192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:56.222748995 CEST53537008.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:56.622276068 CEST5172653192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:56.644093037 CEST53517268.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:52:12.671499014 CEST5679453192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:52:12.692701101 CEST53567948.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:52:46.959403992 CEST5653453192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:52:46.993822098 CEST53565348.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:52:48.438551903 CEST5662753192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:52:48.464600086 CEST53566278.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:54:03.161432028 CEST5662153192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:54:03.161909103 CEST6311653192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:54:03.162794113 CEST6407853192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:54:03.178714991 CEST6480153192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:54:03.181512117 CEST53631168.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:54:03.182200909 CEST53640788.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:54:03.196491957 CEST53566218.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:54:03.198102951 CEST53648018.8.8.8192.168.2.4

                                                                Code Manipulations

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: loaddll64.exe PID: 7076 Parent PID: 2208

                                                                General

                                                                Start time:17:51:00
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\loaddll64.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:loaddll64.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll'
                                                                Imagebase:0x7ff651af0000
                                                                File size:1136128 bytes
                                                                MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: cmd.exe PID: 7068 Parent PID: 7076

                                                                General

                                                                Start time:17:51:01
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
                                                                Imagebase:0x7ff622070000
                                                                File size:273920 bytes
                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: rundll32.exe PID: 7064 Parent PID: 7076

                                                                General

                                                                Start time:17:51:01
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation
                                                                Imagebase:0x7ff733ad0000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.749176319.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: rundll32.exe PID: 7144 Parent PID: 7068

                                                                General

                                                                Start time:17:51:01
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
                                                                Imagebase:0x7ff733ad0000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.666466905.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: explorer.exe PID: 3424 Parent PID: 7064

                                                                General

                                                                Start time:17:51:02
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\explorer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\Explorer.EXE
                                                                Imagebase:0x7ff6fee60000
                                                                File size:3933184 bytes
                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: rundll32.exe PID: 5516 Parent PID: 7076

                                                                General

                                                                Start time:17:51:04
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaint
                                                                Imagebase:0x7ff733ad0000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.674588856.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: rundll32.exe PID: 6800 Parent PID: 7076

                                                                General

                                                                Start time:17:51:08
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedback
                                                                Imagebase:0x7ff733ad0000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.681792937.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: bdechangepin.exe PID: 6036 Parent PID: 3424

                                                                General

                                                                Start time:17:51:42
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\bdechangepin.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\bdechangepin.exe
                                                                Imagebase:0x7ff7b6860000
                                                                File size:369664 bytes
                                                                MD5 hash:013D00A367D851B0EC869F209337754E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: bdechangepin.exe PID: 6932 Parent PID: 3424

                                                                General

                                                                Start time:17:51:48
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
                                                                Imagebase:0x7ff636980000
                                                                File size:369664 bytes
                                                                MD5 hash:013D00A367D851B0EC869F209337754E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000010.00000002.786920888.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Analysis Process: rdpinit.exe PID: 4824 Parent PID: 3424

                                                                General

                                                                Start time:17:51:59
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rdpinit.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\rdpinit.exe
                                                                Imagebase:0x7ff6103f0000
                                                                File size:327168 bytes
                                                                MD5 hash:EF7C9CF6EA5B8B9C5C8320990714C35D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: rdpinit.exe PID: 6476 Parent PID: 3424

                                                                General

                                                                Start time:17:52:00
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
                                                                Imagebase:0x7ff6ce1c0000
                                                                File size:327168 bytes
                                                                MD5 hash:EF7C9CF6EA5B8B9C5C8320990714C35D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.812981764.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Analysis Process: wlrmdr.exe PID: 1088 Parent PID: 3424

                                                                General

                                                                Start time:17:52:11
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\wlrmdr.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\wlrmdr.exe
                                                                Imagebase:0x7ff6581f0000
                                                                File size:65704 bytes
                                                                MD5 hash:4849E997AF1274DD145672A2F9BC0827
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: wlrmdr.exe PID: 5984 Parent PID: 3424

                                                                General

                                                                Start time:17:52:16
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
                                                                Imagebase:0x7ff79a6f0000
                                                                File size:65704 bytes
                                                                MD5 hash:4849E997AF1274DD145672A2F9BC0827
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.847453673.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Analysis Process: rdpclip.exe PID: 1332 Parent PID: 3424

                                                                General

                                                                Start time:17:52:28
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rdpclip.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\rdpclip.exe
                                                                Imagebase:0x7ff72f500000
                                                                File size:417280 bytes
                                                                MD5 hash:1690E3004F712C75A2C9FF6BCDE49461
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: rdpclip.exe PID: 2820 Parent PID: 3424

                                                                General

                                                                Start time:17:52:29
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\I0o\rdpclip.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\I0o\rdpclip.exe
                                                                Imagebase:0x7ff7b9580000
                                                                File size:417280 bytes
                                                                MD5 hash:1690E3004F712C75A2C9FF6BCDE49461
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.874877392.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Analysis Process: AgentService.exe PID: 2328 Parent PID: 3424

                                                                General

                                                                Start time:17:52:40
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\AgentService.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\AgentService.exe
                                                                Imagebase:0x7ff7e2c00000
                                                                File size:1189376 bytes
                                                                MD5 hash:F7E36C20DB953DFF4FDDB817904C0E48
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: AgentService.exe PID: 1808 Parent PID: 3424

                                                                General

                                                                Start time:17:52:41
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\eF0\AgentService.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\eF0\AgentService.exe
                                                                Imagebase:0x7ff71b640000
                                                                File size:1189376 bytes
                                                                MD5 hash:F7E36C20DB953DFF4FDDB817904C0E48
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001E.00000002.903179432.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Analysis Process: dccw.exe PID: 6372 Parent PID: 3424

                                                                General

                                                                Start time:17:52:53
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\dccw.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\dccw.exe
                                                                Imagebase:0x7ff6a0ee0000
                                                                File size:657920 bytes
                                                                MD5 hash:341515B9556F37E623777D1C377BCFAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: dccw.exe PID: 3864 Parent PID: 3424

                                                                General

                                                                Start time:17:52:55
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\Fox\dccw.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\Fox\dccw.exe
                                                                Imagebase:0x7ff732050000
                                                                File size:657920 bytes
                                                                MD5 hash:341515B9556F37E623777D1C377BCFAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.931145989.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Analysis Process: dpapimig.exe PID: 6960 Parent PID: 3424

                                                                General

                                                                Start time:17:53:06
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\dpapimig.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\dpapimig.exe
                                                                Imagebase:0x7ff761d30000
                                                                File size:76800 bytes
                                                                MD5 hash:EE7DB7B615B48D8F9F08FAE70CAF46D7
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: dpapimig.exe PID: 404 Parent PID: 3424

                                                                General

                                                                Start time:17:53:11
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
                                                                Imagebase:0x7ff6312d0000
                                                                File size:76800 bytes
                                                                MD5 hash:EE7DB7B615B48D8F9F08FAE70CAF46D7
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.965505490.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Analysis Process: GamePanel.exe PID: 5180 Parent PID: 3424

                                                                General

                                                                Start time:17:53:23
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\GamePanel.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\GamePanel.exe
                                                                Imagebase:0x7ff7ded90000
                                                                File size:1292288 bytes
                                                                MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: GamePanel.exe PID: 4488 Parent PID: 3424

                                                                General

                                                                Start time:17:53:24
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
                                                                Imagebase:0x7ff66a260000
                                                                File size:1292288 bytes
                                                                MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000025.00000002.992899569.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >

                                                                  Analysis Process: loaddll64.exe PID: 7076 Parent PID: 2208 loaddll64.exeCOMMON

                                                                  Executed Functions

                                                                  Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: }*$}*
                                                                  • API String ID: 0-2047341001
                                                                  • Opcode ID: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
                                                                  • Instruction ID: dfe71950bb4b00d773a2c1e4d7d9ca62016f185058a51a46645e99606ce0912a
                                                                  • Opcode Fuzzy Hash: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
                                                                  • Instruction Fuzzy Hash: CDF2E476601B8481EB269F17D5503EE77A1F78EBC8F9A4025EB0A077B5DB38C945C348
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ConsoleEntryFreePoint
                                                                  • String ID: )8GV$d
                                                                  • API String ID: 3550414006-3589632123
                                                                  • Opcode ID: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
                                                                  • Instruction ID: d510f836e5bc92855b025e221ee4853bd72dbb3d22a76ed0b2795177c136f2ac
                                                                  • Opcode Fuzzy Hash: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
                                                                  • Instruction Fuzzy Hash: 2C91983230064096EB26EB66D0513EE23A5AB9C7D4F914526BB1E47BFBEE34CA05C350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InfoSystem
                                                                  • String ID: sy;$sy;
                                                                  • API String ID: 31276548-3660992706
                                                                  • Opcode ID: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
                                                                  • Instruction ID: 6e6b9d6b41ba510f9365bd6ae70f9dc3139515c8db1fe8c3f4a6c85962f57752
                                                                  • Opcode Fuzzy Hash: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
                                                                  • Instruction Fuzzy Hash: 2A82DB72215B848AEB26CF27D4507E977E1F789BC4F498426EB4A077B6DB39C941C380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: }*$}*
                                                                  • API String ID: 0-2047341001
                                                                  • Opcode ID: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
                                                                  • Instruction ID: 589d9863290c94d963c78ae1aba4b537ce1e649f887b860e334c2c2edf70769e
                                                                  • Opcode Fuzzy Hash: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
                                                                  • Instruction Fuzzy Hash: B872E172211B8081EBA68F23D4547ED77A1F78DBC4F8A5125EB4A477B6EB38C944C348
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileFindFirst
                                                                  • String ID: .
                                                                  • API String ID: 1974802433-248832578
                                                                  • Opcode ID: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
                                                                  • Instruction ID: 4bac0f1caae8588fed560e2f4dd75fe3b4005a9d196e6938d52e54566134f4c2
                                                                  • Opcode Fuzzy Hash: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
                                                                  • Instruction Fuzzy Hash: C841A43260564085FB76DB26E1003AD73A1A748BF8F184713EF69177E9DB7AC982C742
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140026CC0, Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: )8GV$)8GV
                                                                  • API String ID: 0-993736920
                                                                  • Opcode ID: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
                                                                  • Instruction ID: e7db99c2ed76c24e9271fdfca30502f9120cd4f12b6678b2f47d4e41cadbe873
                                                                  • Opcode Fuzzy Hash: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
                                                                  • Instruction Fuzzy Hash: 3BF18F7272064095EB52EB72D8913EE6365FB993C8F900426BB0E47AFADF34CA45C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014006A4B0, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InformationQuerySystem
                                                                  • String ID:
                                                                  • API String ID: 3562636166-0
                                                                  • Opcode ID: 014ba3f31a54ab5bd7c94f0c661e1d483c83fc367b3a803fd5cc701f36f44b24
                                                                  • Instruction ID: ba306794fc56961ae9be9e8108b60f4a03202e28571258f9feaa1cffdeadac3d
                                                                  • Opcode Fuzzy Hash: 014ba3f31a54ab5bd7c94f0c661e1d483c83fc367b3a803fd5cc701f36f44b24
                                                                  • Instruction Fuzzy Hash: 25B16E36601B409AE712EF26D9403EE33A6F7497C8F645825EB4E47BA6DF38D524CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileFindLoadNext
                                                                  • String ID:
                                                                  • API String ID: 50669962-0
                                                                  • Opcode ID: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
                                                                  • Instruction ID: 5bbbb247b64301f03cc62f5655f26b2922a91791dd430743fbd3ba68f8766a4f
                                                                  • Opcode Fuzzy Hash: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
                                                                  • Instruction Fuzzy Hash: 07819D3261568092FB22EB26E4513EE6365FBD83D4F814521FB4A57AEBEF38C605C704
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140035270, Relevance: 1.7, APIs: 1, Instructions: 181COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CloseExitProcess
                                                                  • String ID:
                                                                  • API String ID: 3487036407-0
                                                                  • Opcode ID: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
                                                                  • Instruction ID: 3d479053040576d7404e3dfab4813d6254088c9544e20b556efee73ce8d776a8
                                                                  • Opcode Fuzzy Hash: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
                                                                  • Instruction Fuzzy Hash: 5771BF32710A5096FB16EB72D4513EE2365AB883D9F844522BF5E53AFADF35C906C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140046C90, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
                                                                  • Instruction ID: acc9ee73913d888b71121e4cedfe861758cf19cabea33dd7822bbf7d3cf7603a
                                                                  • Opcode Fuzzy Hash: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
                                                                  • Instruction Fuzzy Hash: 42E08CA1741A0041EF265276D0803A812809B4D7B4E194B209A7D0B3E0EA3888898716
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
                                                                  • Instruction ID: bccbce3911ab829ef3288d496869760cb1404da12fac801df191153d1e38d36e
                                                                  • Opcode Fuzzy Hash: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
                                                                  • Instruction Fuzzy Hash: 9172CD72601B9485FB26CF17D4503E967A1FB8EFC4F998426EB0A077A5EB39C945C380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
                                                                  • Instruction ID: 84a8ec628d281786b49b5e6f6f6dec0d0376b1c45e732984354cafa0c8984479
                                                                  • Opcode Fuzzy Hash: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
                                                                  • Instruction Fuzzy Hash: D761947121164102FE76B72399047EE5292AFAD3E4F650B21BF6E47BF9EE38C9018740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140034870, Relevance: .2, Instructions: 170COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
                                                                  • Instruction ID: 713527809b35fed6260ebd230ad48717dd4fa7a304d79e310e96a8de0daf9cee
                                                                  • Opcode Fuzzy Hash: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
                                                                  • Instruction Fuzzy Hash: 5A717D32B04B4095FB12EBB2E4913DF67A5FBC8388F954025BB4957AAADF38D445CB04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061459
                                                                  • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00000001400614B4
                                                                  • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061539
                                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 0000000140061664
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close$EnumOpen
                                                                  • String ID:
                                                                  • API String ID: 138425441-0
                                                                  • Opcode ID: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
                                                                  • Instruction ID: 4377045c35190c944746a6ea10b9b47c13ce871b5e3b3a15cce40fdff127085f
                                                                  • Opcode Fuzzy Hash: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
                                                                  • Instruction Fuzzy Hash: 5BC1A43120568082FE629B16E8503EEA791E7C97E0F6C4A21FB6E47BE5DE78C941C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000000014005FA4B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: DescriptorSecurity$ConvertString
                                                                  • String ID: 4aX
                                                                  • API String ID: 3907675253-4042356595
                                                                  • Opcode ID: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
                                                                  • Instruction ID: 5c7b4eddd96f597e19123db416744eb931adcf52cf9da5c093af566d74744993
                                                                  • Opcode Fuzzy Hash: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
                                                                  • Instruction Fuzzy Hash: EC216D72214B4582EA12EF66E1403DEB3A0FB8C7C4F844525EB8D07B6AEF39D625C745
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005DAE0, Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
                                                                  • Instruction ID: c5574eec75406f68cf122a08b4571db932f63f1e1c7d3e43579234279b4bb767
                                                                  • Opcode Fuzzy Hash: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
                                                                  • Instruction Fuzzy Hash: A151D03130464182FA72EA63A4507EA77A2BB8CBD4F154527BF5A077E2EF7AC801C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005DD30, Relevance: 3.1, APIs: 2, Instructions: 122fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$PointerRead
                                                                  • String ID:
                                                                  • API String ID: 3154509469-0
                                                                  • Opcode ID: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
                                                                  • Instruction ID: 869152f87e2051f324d9e8f0f01270def7d2743b76a8e6c9a5e95a296a3a7e26
                                                                  • Opcode Fuzzy Hash: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
                                                                  • Instruction Fuzzy Hash: A541583161464087EA62DB3AA4447AAB3A1FBD87E0F144712BB6D4B7F5DF39C802DB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
                                                                  • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$CreateTime
                                                                  • String ID:
                                                                  • API String ID: 1043708186-0
                                                                  • Opcode ID: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
                                                                  • Instruction ID: 944ab0cbe82d54181631abf043b2a82f72de4fdca767e43f24bb2c72b9c0c91f
                                                                  • Opcode Fuzzy Hash: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
                                                                  • Instruction Fuzzy Hash: 8D21B431214A4581EA72DB66A0407EA3795F78CBE4F184617EFAE077E5DF7AC806C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
                                                                  • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$CreateTime
                                                                  • String ID:
                                                                  • API String ID: 1043708186-0
                                                                  • Opcode ID: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
                                                                  • Instruction ID: bee1728ae0ee1a0caa625709e376bb4aadd3217f15d1bcce0d190476addee932
                                                                  • Opcode Fuzzy Hash: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
                                                                  • Instruction Fuzzy Hash: BE21D332311A4581EA72DA66A0407EA3795B78CBE4F184527AF9D077E5DE7AC806C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
                                                                  • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$CreateTime
                                                                  • String ID:
                                                                  • API String ID: 1043708186-0
                                                                  • Opcode ID: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
                                                                  • Instruction ID: a00dbcca095f64b26cda9c271166364bdf2e86a9b80154192fb139b54d898421
                                                                  • Opcode Fuzzy Hash: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
                                                                  • Instruction Fuzzy Hash: 5521E532315A4581EA72DB62A0407EE3791F78CBE4F184517AFAD077E5DE7AC806C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060D85
                                                                  • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060DE8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: QueryValue
                                                                  • String ID:
                                                                  • API String ID: 3660427363-0
                                                                  • Opcode ID: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
                                                                  • Instruction ID: 09cc4365fb23fa9fe14c599ab373ea3e5ec1bde103bfdbf39ccb6e9a9538c2db
                                                                  • Opcode Fuzzy Hash: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
                                                                  • Instruction Fuzzy Hash: F521A37671569046EF52CB56E8003AFA391EB897F4F184621BF9C07BE8EA38D582C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
                                                                  • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$CreateTime
                                                                  • String ID:
                                                                  • API String ID: 1043708186-0
                                                                  • Opcode ID: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
                                                                  • Instruction ID: 68fcab11a3bde380270331896f94efb0ab36e54eb9d04e7f46ecdc112822b6b1
                                                                  • Opcode Fuzzy Hash: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
                                                                  • Instruction Fuzzy Hash: 6821C132315A4541EA72DB62A0407EA3795F78CBE4F184627EFAD077E5DE7AC806C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140046F60, Relevance: 1.7, APIs: 1, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ComputerName
                                                                  • String ID:
                                                                  • API String ID: 3545744682-0
                                                                  • Opcode ID: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
                                                                  • Instruction ID: 560481d37deeb2f3cc02cd101c0a384bc9ca8e36dca6fa428839860d024f360c
                                                                  • Opcode Fuzzy Hash: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
                                                                  • Instruction Fuzzy Hash: EDA15D3271064099EB12EFB6C4913EE2365A7987C8F915126BF0D67AFAEF34C609C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateMutex
                                                                  • String ID:
                                                                  • API String ID: 1964310414-0
                                                                  • Opcode ID: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
                                                                  • Instruction ID: 2cd33cf12082532a652157af79f02d7873b375395221c82c38bac87e111ef697
                                                                  • Opcode Fuzzy Hash: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
                                                                  • Instruction Fuzzy Hash: 6E51B2326117408AEB66EB22A0013EE6291EB9DBC4F580535FF4E477E6DF39C802D790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005D1F0, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileFindNext
                                                                  • String ID:
                                                                  • API String ID: 2029273394-0
                                                                  • Opcode ID: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
                                                                  • Instruction ID: fe48dd106ee2d63de4642147a978de6f9e341aec22c75ad1205c2678dbe1ece1
                                                                  • Opcode Fuzzy Hash: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
                                                                  • Instruction Fuzzy Hash: 80115B7561034082FF76DA6691047E933E1EB697C8F051013EF59472E9EB36C8D2C751
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: EnumValue
                                                                  • String ID:
                                                                  • API String ID: 2814608202-0
                                                                  • Opcode ID: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
                                                                  • Instruction ID: 650aff04d41c3b1619de3e88208a4500c6b85af191ab70c767efd2679610bbe3
                                                                  • Opcode Fuzzy Hash: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
                                                                  • Instruction Fuzzy Hash: 1C112E72204B8486D7219F12E84039EB7A5F788B90FA89529EB8D43B58DF39D991CB44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140046690, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateHeap
                                                                  • String ID:
                                                                  • API String ID: 10892065-0
                                                                  • Opcode ID: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
                                                                  • Instruction ID: 54976bf3431427af6da968cf6b263ec8d4a99ac7c2bea2f2fd5649cd882baac1
                                                                  • Opcode Fuzzy Hash: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
                                                                  • Instruction Fuzzy Hash: B901D635706A8082EB528712FA4039A73A0F78C3C4F198524EF884B7A5EF38C8518B44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140046730, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: BoundaryDeleteDescriptor
                                                                  • String ID:
                                                                  • API String ID: 3203483114-0
                                                                  • Opcode ID: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
                                                                  • Instruction ID: 7e2fcedd46cf55f04110c2a11ced308778be976df41b62f125aabd7639a18320
                                                                  • Opcode Fuzzy Hash: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
                                                                  • Instruction Fuzzy Hash: 70F0F878A4730141FE6A63B354543A511821FCC7C4F0E8834AF095B7A6EE38CD518699
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 000000014002B6E0, Relevance: 8.2, Strings: 6, Instructions: 741COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0020$0020$3050$3050$4040$GNOP
                                                                  • API String ID: 0-829999343
                                                                  • Opcode ID: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
                                                                  • Instruction ID: 282167bc52f218920562f67345f8403ae15435ff558287d674a5e0b6e797f698
                                                                  • Opcode Fuzzy Hash: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
                                                                  • Instruction Fuzzy Hash: 4172507261068195EB22EF26D8913EE6365FB983C8F804016FB4E475FAEF34CA45C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140071DC0, Relevance: 5.7, Strings: 4, Instructions: 682COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ERCP$VUUU$VUUU$VUUU
                                                                  • API String ID: 0-2165971703
                                                                  • Opcode ID: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
                                                                  • Instruction ID: a95f611128f1d5d13a9bca75b656ea52fec65ffdb08565925219bb8e60db198b
                                                                  • Opcode Fuzzy Hash: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
                                                                  • Instruction Fuzzy Hash: 2252BE727046848AEB6A8F6AD5503ED7BA1F3087D8F144116FF569BAE8D73CC981C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140031DF0, Relevance: 5.3, Strings: 4, Instructions: 270COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: GC,$GC,$GC,$GC,
                                                                  • API String ID: 0-2774350030
                                                                  • Opcode ID: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
                                                                  • Instruction ID: dd0ba4053c6bdb050c0e262549aa376da4335980b2dde8bb0cc8774c9fa84b1c
                                                                  • Opcode Fuzzy Hash: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
                                                                  • Instruction Fuzzy Hash: 39B14A3232168096EA16EB22D4513EFA765FBDC7C4F854425FB4E57ABAEE38C605C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140057950, Relevance: 4.5, Strings: 2, Instructions: 1977COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: }*$}*
                                                                  • API String ID: 0-2047341001
                                                                  • Opcode ID: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
                                                                  • Instruction ID: 7c281f25cbc51a2c663274e483e0a5d4adc9f9b548fde4e06667abda5a9e2262
                                                                  • Opcode Fuzzy Hash: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
                                                                  • Instruction Fuzzy Hash: 6E03CB72201B8482EB26CF23D4543ED67A1F78DBC4F994416EF4A177A6EB3AC945C380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400263C0, Relevance: 4.3, Strings: 3, Instructions: 519COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: )8GV$)8GV$@
                                                                  • API String ID: 0-2802744955
                                                                  • Opcode ID: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
                                                                  • Instruction ID: d4403fa2ef2757ed15b0d897a8d3d48ae9d82dee7601a7ae60b507309942f45e
                                                                  • Opcode Fuzzy Hash: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
                                                                  • Instruction Fuzzy Hash: 8F326E72610A8095FB22EB72D8513EE6365FB997C8F940026BB4E476FADF34CA05C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140035520, Relevance: 3.9, Strings: 3, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: GC,$GC,${QN
                                                                  • API String ID: 0-3150587038
                                                                  • Opcode ID: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
                                                                  • Instruction ID: 9244b60d004d0bd22f383007071d62e4da67c70af0efad37e4d475a9577969ab
                                                                  • Opcode Fuzzy Hash: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
                                                                  • Instruction Fuzzy Hash: D851B3726017408AEB26AF72A0517DF3392EB98398F559529FB4E0BBE9DF39C401C741
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140025DB0, Relevance: 2.9, Strings: 2, Instructions: 401COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0$GC,
                                                                  • API String ID: 0-3557465234
                                                                  • Opcode ID: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
                                                                  • Instruction ID: 8e8f5bced65d739128878f1be46f709eb140c798bd495bd8ba2efbba04664ca7
                                                                  • Opcode Fuzzy Hash: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
                                                                  • Instruction Fuzzy Hash: 90F1C132705B8086EB56DB26A5503EE77A5F788BC8F544029FF8A47BA9DF38C845C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002FB20, Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: cLpS$cLpS
                                                                  • API String ID: 0-581437482
                                                                  • Opcode ID: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
                                                                  • Instruction ID: d6b56411a1e340b191dd7f08d0c8a8920ca136b0ade9766ce73097337fe28e3c
                                                                  • Opcode Fuzzy Hash: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
                                                                  • Instruction Fuzzy Hash: F5916E32700A41A6FB12EB72D5513ED2366AB983D8F900126BF1D97AFADF34D919D340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140039140, Relevance: 2.1, Strings: 1, Instructions: 866COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: D
                                                                  • API String ID: 0-2746444292
                                                                  • Opcode ID: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
                                                                  • Instruction ID: a2166a60d7ca2b4a0d1872d5e3506bb785f107662951e93f9f6f62b20c08bf0e
                                                                  • Opcode Fuzzy Hash: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
                                                                  • Instruction Fuzzy Hash: 32827E3222468186EB13EB26D4907EF6365FBD8794F904612FB5A47AFADF38C605C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014000C5C0, Relevance: 2.1, Strings: 1, Instructions: 865COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: GET
                                                                  • API String ID: 0-1805413626
                                                                  • Opcode ID: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
                                                                  • Instruction ID: e67aa13565bd515be4758c424d677281e7e48e69fdea67d752e56d6b70eb8f16
                                                                  • Opcode Fuzzy Hash: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
                                                                  • Instruction Fuzzy Hash: 7182CFB262568082FB52EB26E491BEE6761F7C97C8F851022FB4A576E7CF38C505C701
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140015120, Relevance: 2.1, APIs: 1, Instructions: 555COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CloseEnvironmentExpandStrings
                                                                  • String ID:
                                                                  • API String ID: 1839112984-0
                                                                  • Opcode ID: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
                                                                  • Instruction ID: c0dbe0ee55e83fb6c0f3bef3624a57e5635b4c6ed11a4d6c977be8f15ec7e338
                                                                  • Opcode Fuzzy Hash: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
                                                                  • Instruction Fuzzy Hash: CB427E32710A4096FB12EB72D4913EE6765EB983D8F814422BB4D4BAFAEF34C645C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140019D20, Relevance: 2.0, APIs: 1, Instructions: 546COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 687ffdf343c2e9789a5d1ebb489b5c539987e33f75712a11b993f063ce15b1a2
                                                                  • Instruction ID: abc698a25be580435ac5d46bd6b01b3c7dd535f90f9c32282677b8a643a0cbd6
                                                                  • Opcode Fuzzy Hash: 687ffdf343c2e9789a5d1ebb489b5c539987e33f75712a11b993f063ce15b1a2
                                                                  • Instruction Fuzzy Hash: 3C427D3271068095FB22EB76D8513EE2361EB993C8F904121BB0E5BAFAEF79C545C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140019580, Relevance: 2.0, APIs: 1, Instructions: 455COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 127911a31568296dbbdbd0e7203d4322e69c18d1e401fad8c93ef71fb1fa4fd2
                                                                  • Instruction ID: 0bcce83d19b55e388762cc41cc2fbdfa61478623d1bee2f25155124e52c32027
                                                                  • Opcode Fuzzy Hash: 127911a31568296dbbdbd0e7203d4322e69c18d1e401fad8c93ef71fb1fa4fd2
                                                                  • Instruction Fuzzy Hash: 8A128E3271468095FB22EB72D8913EE2355EB997C4F804026BB4E5BAFADF35C605C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140006EB0, Relevance: 1.9, Strings: 1, Instructions: 651COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: cLpS
                                                                  • API String ID: 0-2886372077
                                                                  • Opcode ID: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
                                                                  • Instruction ID: 96b4c198141fe6e7034ab14ad9d5ea3cda72442e6a1109ae0a48173783152c86
                                                                  • Opcode Fuzzy Hash: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
                                                                  • Instruction Fuzzy Hash: CF528D7272464092FA12EB62E8517EE63A5FB9C7C4F814022BB4E57BBADF38C505C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400139D0, Relevance: 1.8, Strings: 1, Instructions: 571COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateMutex
                                                                  • String ID: m
                                                                  • API String ID: 1964310414-3775001192
                                                                  • Opcode ID: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
                                                                  • Instruction ID: 0a9d90af75a6ede7406656d6adb6787827cf479cbe6b14872f7c626c13ea0b6d
                                                                  • Opcode Fuzzy Hash: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
                                                                  • Instruction Fuzzy Hash: 6A529B32710A80A6F74EEB32C5913EE7369F788384F904026AB2947AE6DF34D576C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014001D100, Relevance: 1.7, Strings: 1, Instructions: 497COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: s( j
                                                                  • API String ID: 0-1450404818
                                                                  • Opcode ID: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
                                                                  • Instruction ID: 6f5b3d0b06e06ce3defbe5b62ba999e8dce43b7996f1ec96da6707378b1ebcba
                                                                  • Opcode Fuzzy Hash: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
                                                                  • Instruction Fuzzy Hash: 14325632715B9085EB16EF66D8513ED73A5FB88B88F454026EB4E5BBAADF38C505C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140033BB0, Relevance: 1.7, Strings: 1, Instructions: 454COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: U
                                                                  • API String ID: 0-3372436214
                                                                  • Opcode ID: 1612c2b18446cb3e650eba47dd8b229cab4fb8fae804e2c9001081e94953d27d
                                                                  • Instruction ID: 04dcf981b535b3d5a04f4e0f983876b723d65533687fb2a3abc72c4897885b35
                                                                  • Opcode Fuzzy Hash: 1612c2b18446cb3e650eba47dd8b229cab4fb8fae804e2c9001081e94953d27d
                                                                  • Instruction Fuzzy Hash: 7A22A032714A8095FB22EB76D4913EE2761EB993D4F900122BB4E5BAFADF38C545C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140023530, Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Content-Type
                                                                  • API String ID: 0-2058190213
                                                                  • Opcode ID: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
                                                                  • Instruction ID: 8ed0294b40edec3e111ebf6e63eddced9ff886ac8d86313f53d4d34ac86a637b
                                                                  • Opcode Fuzzy Hash: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
                                                                  • Instruction Fuzzy Hash: D0128B7271064096EB26EB72D0953EE63A5EB9D7C8F804029FB4E576B6DF34C909C341
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400389A0, Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID: 0
                                                                  • API String ID: 3535843008-4108050209
                                                                  • Opcode ID: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
                                                                  • Instruction ID: 021d52728ad99ff4b45c00a2ee63d530dbb35c35c3e7b67721d4418a9cae59c0
                                                                  • Opcode Fuzzy Hash: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
                                                                  • Instruction Fuzzy Hash: A4D1483271064185EB22EB66D8503EF6365FB987C8F944421FF4E57AAAEF34CA05C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400205A0, Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
                                                                  • Instruction ID: 091f4e73938a5afec608f70625f4eed5baac112ec883e15b973b01c59944fd94
                                                                  • Opcode Fuzzy Hash: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
                                                                  • Instruction Fuzzy Hash: 8FB1903271164156FB26EB72C0513EE2365A78C7C8F554429BF0E67BEAEE34D906C350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002EED0, Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
                                                                  • Instruction ID: 79bcb73a3e0a748e54816e3c2b9a8955141e4b7d1d3c260807ef7fd3e9233e09
                                                                  • Opcode Fuzzy Hash: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
                                                                  • Instruction Fuzzy Hash: 4681AF3171528042FA66AB63A5513EE6382BBDC7C0F954839BF0E57BEADE38C9019750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140023140, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: tI*k
                                                                  • API String ID: 0-257501792
                                                                  • Opcode ID: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
                                                                  • Instruction ID: 2b3e36108f388e75195695150bf3b7502d87346db4925aa772ee75e92517338c
                                                                  • Opcode Fuzzy Hash: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
                                                                  • Instruction Fuzzy Hash: C891B332710A41C6FB12EB73D4913ED2365AB987C8F815026BF0E67AABDE34C605C391
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140078570, Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ERCP
                                                                  • API String ID: 0-1384759551
                                                                  • Opcode ID: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
                                                                  • Instruction ID: 36d71a898891e4cfc692b0c24b63e4f8a605753b41eb4ec31f3d0d909baacb04
                                                                  • Opcode Fuzzy Hash: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
                                                                  • Instruction Fuzzy Hash: 8541C2677244554AE3189F2598213BE2391F7E8781B008838BBC7C3B99E97CCE41C754
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014004F940, Relevance: .9, Instructions: 873COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
                                                                  • Instruction ID: fc2f62d5942ef41123ea32f2955be4f6aadf7052ab01c2248917173129c7cd0f
                                                                  • Opcode Fuzzy Hash: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
                                                                  • Instruction Fuzzy Hash: 8A82BD72301B8486EB269F23D4503EE67A5F78DFC4F964022EB4A577A6DB38C945C384
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140053F20, Relevance: .8, Instructions: 808COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
                                                                  • Instruction ID: b1defcb4bfd3908c290bb80924a7f4486985742b072abc47c5e9bd5be53152ef
                                                                  • Opcode Fuzzy Hash: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
                                                                  • Instruction Fuzzy Hash: FF72CE32601BA482EB26CF17E4503ED77A5FB99BC8F9A4016EB49477B6DB36C941C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
                                                                  • Instruction ID: 8249503d4e55669e8e7119aec1729776b7b2f3ca46fae70a891a003f6664f3d4
                                                                  • Opcode Fuzzy Hash: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
                                                                  • Instruction Fuzzy Hash: 3472DF32201B9486EB26DB17E4603ED77A5FB9DBC5F894012EB4A477B6DB3AC941C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$PointerRead
                                                                  • String ID:
                                                                  • API String ID: 3154509469-0
                                                                  • Opcode ID: 570444da3395dbff037c1797def2714c1b19642f17c99ed10635228c9c88b714
                                                                  • Instruction ID: 4fdb0601fab6f7a848b28641239d596080eab1ec2c6ff824b21f12e2ef69b5a1
                                                                  • Opcode Fuzzy Hash: 570444da3395dbff037c1797def2714c1b19642f17c99ed10635228c9c88b714
                                                                  • Instruction Fuzzy Hash: 48722D32724A4095EB02EB76D4913EE6765EB983C4FC05012BB4E879BBEF38C649C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
                                                                  • Instruction ID: d53d10191d1a85c044aba7f3ec212ac92ce5176a248edb2932ce54add84afe44
                                                                  • Opcode Fuzzy Hash: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
                                                                  • Instruction Fuzzy Hash: 9D52BE72601B8081EB269F23D4543EE77A1F78CBC4F8A5426EB4A577B6DB38D845C348
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
                                                                  • Instruction ID: 9c06e88039ccf999e040ad7794a2e2d02b6699145a9792014979c24fd1337f6c
                                                                  • Opcode Fuzzy Hash: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
                                                                  • Instruction Fuzzy Hash: B4623CB76206548BD7668F26C080B6C37B1F35DFA8F25521ADF0A43799CB39D891CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014003B220, Relevance: .6, Instructions: 645COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
                                                                  • Instruction ID: acd1ff4a64a9c803ec812a22a8ce79600e1464d52fdb42fb628072365476121f
                                                                  • Opcode Fuzzy Hash: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
                                                                  • Instruction Fuzzy Hash: 64429E31301A8141FA23EB6698513EF6391EB8C7E8F544616BF5A5BBEAEE38C505C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140024440, Relevance: .6, Instructions: 566COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
                                                                  • Instruction ID: 78f3400fd7e206f6a511ea736ed45412fb3e7259efd4ed926287f6c9bd4c6aa7
                                                                  • Opcode Fuzzy Hash: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
                                                                  • Instruction Fuzzy Hash: E6427C32204A8096EB66EB32D0513EE67A4E79D3C8F914026F79A876F7DF38C945C741
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140018630, Relevance: .6, Instructions: 558COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
                                                                  • Instruction ID: 8108868c1ca7c4f1afbe8bd34af9d7f1e96dfbbf12b1edd0cffad3fdf1fa0b6f
                                                                  • Opcode Fuzzy Hash: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
                                                                  • Instruction Fuzzy Hash: 3F429E3231068095FB22EB72D8913EE6765EB983D8F844122BB0D97AFADF34C645C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
                                                                  • Instruction ID: 183f2e46b23aa86a2c091461a645f9a581571388db0d92becfc597eb429af356
                                                                  • Opcode Fuzzy Hash: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
                                                                  • Instruction Fuzzy Hash: 0732AB3271064089EB16EB36D4513EE27A5EB8CBD8F555126FF0E877BADE38C4868340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fdfece18ddf6bca480a9aef1e07074b0a3e55dc7f17be70bd55bceb11844ecf8
                                                                  • Instruction ID: 71edd40f2b1ab928f6f3b4ddf8d26af45cb7d1258c95c78617a62a1a74f3288a
                                                                  • Opcode Fuzzy Hash: fdfece18ddf6bca480a9aef1e07074b0a3e55dc7f17be70bd55bceb11844ecf8
                                                                  • Instruction Fuzzy Hash: BF32AC3261068195EB12EB26D4913EE2765FB983C8F814122FB4E57AFBEF38C645C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014000B120, Relevance: .5, Instructions: 531COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
                                                                  • Instruction ID: 3ba19fba285517c5acd5c21b3c9b7592edaf423ca2de06bba8230fcf7af2400b
                                                                  • Opcode Fuzzy Hash: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
                                                                  • Instruction Fuzzy Hash: 3C429B72624A8095FB12EB62D4957EE2365FB983C8F814022FB0D57ABBDF34C649C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
                                                                  • Instruction ID: eb795f204498a8d956ef0de19ff8bd43d97085c04d8ed5933d3115b51340510f
                                                                  • Opcode Fuzzy Hash: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
                                                                  • Instruction Fuzzy Hash: 7022793270064186EA23EB2AD4957EF63A5EB88BD4F554626FF0A477F6EE34C506C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014003A2E0, Relevance: .5, Instructions: 521COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
                                                                  • Instruction ID: 697e8bd1027fccc09012cb901671f32632dfdae7722e2c733c5167ca59ce0a7a
                                                                  • Opcode Fuzzy Hash: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
                                                                  • Instruction Fuzzy Hash: AE227C3271064186EA23EB26D4513EF63A1FB89BD4F544625EB4A577F6EF38C50AC340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014006B390, Relevance: .5, Instructions: 458COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
                                                                  • Instruction ID: 5c003effdee5129b35cf12aebe167f862a01b0c8d0d2f43ab9f1123e32a30f31
                                                                  • Opcode Fuzzy Hash: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
                                                                  • Instruction Fuzzy Hash: 8C0203B21082A489F7768B26C9413FA7BE2E759788F254906FB8A435F5D738C9C1D720
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
                                                                  • Instruction ID: c2c66f55aa66479377f68c186b881699d763759fa92e2ffabb716b860ed1a50b
                                                                  • Opcode Fuzzy Hash: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
                                                                  • Instruction Fuzzy Hash: CD224D72710A8091EB12EB72D4913EE6765FB987C8F904116FB4E876BAEF38C245C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
                                                                  • Instruction ID: 217fabc6e38e1d640ccd999207fddb20e056db183073941d35cbdb4b11e649c3
                                                                  • Opcode Fuzzy Hash: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
                                                                  • Instruction Fuzzy Hash: 10229B72620A8091EB12EB62E4957EE2365F79D7C4F814022FB4E576BBDF38C609C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
                                                                  • Instruction ID: 3448a1cfdf5732c1482eebf940cb1862e5db89764351cf67f11e8459266109f6
                                                                  • Opcode Fuzzy Hash: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
                                                                  • Instruction Fuzzy Hash: CD026C727006418AEB12DF26D4907EE73A6F788BC4F614525EB0E977AADF34D90AC740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
                                                                  • Instruction ID: a963730c34943060851cd64ea719675db259de8104656558a9074d2de6a51302
                                                                  • Opcode Fuzzy Hash: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
                                                                  • Instruction Fuzzy Hash: 41128F7222468096FB52EB22D4917EE6765FBD93C8F811022FB4E57AABDF38C505C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140069010, Relevance: .4, Instructions: 431COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$ClosePointerRead
                                                                  • String ID:
                                                                  • API String ID: 2610616218-0
                                                                  • Opcode ID: 95963d20b21cf3e2b12cfe18c6fe82eaabeff9446a80277d54ce9a7fffb05132
                                                                  • Instruction ID: 5afa6d75f76fbbc9d7f53df6043056336d1db5d7591574d5123318d553f9c856
                                                                  • Opcode Fuzzy Hash: 95963d20b21cf3e2b12cfe18c6fe82eaabeff9446a80277d54ce9a7fffb05132
                                                                  • Instruction Fuzzy Hash: 19124E3272469096EB12EF72D8913DE6765FB987C8F815022BB0D57AABDF34C605C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014001E170, Relevance: .4, Instructions: 401COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$PointerRead
                                                                  • String ID:
                                                                  • API String ID: 3154509469-0
                                                                  • Opcode ID: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
                                                                  • Instruction ID: ac8bef764291a5126b18a53dad73757551fec454a5992e6944e07fe4b855ac86
                                                                  • Opcode Fuzzy Hash: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
                                                                  • Instruction Fuzzy Hash: 2A023B32724A80A2FB52EB72D4913EE6764FB983C4F815022BB4D57AEADF35C545C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002FEC0, Relevance: .4, Instructions: 392COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
                                                                  • Instruction ID: b67327a95b15ec145a913cc43aeca3e3a8a77925bd43874970612b3ea802a6ff
                                                                  • Opcode Fuzzy Hash: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
                                                                  • Instruction Fuzzy Hash: A802707272064095EB02EB66D4913EE6765FB987C8F905022FB4D83ABBEF34C649C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140002980, Relevance: .4, Instructions: 389COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$PointerRead
                                                                  • String ID:
                                                                  • API String ID: 3154509469-0
                                                                  • Opcode ID: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
                                                                  • Instruction ID: 5d574d698b33f004de0812fa71b34c36bbdae31478704d480fb686f148b39898
                                                                  • Opcode Fuzzy Hash: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
                                                                  • Instruction Fuzzy Hash: EB024C72324A8096FB12EB62D4913EE6765EB983D4FC15022BB4E57AEBDF34C605C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140010880, Relevance: .4, Instructions: 372COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
                                                                  • Instruction ID: f0fb79f68922493fed5bc905321703954c20a875d362dace52344ff7232635a8
                                                                  • Opcode Fuzzy Hash: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
                                                                  • Instruction Fuzzy Hash: D7029272320AA19AEB42DF36C8917EE2724F748789F805016FF4B57AAAEF35C545C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014001D910, Relevance: .4, Instructions: 369COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$ClosePointerRead
                                                                  • String ID:
                                                                  • API String ID: 2610616218-0
                                                                  • Opcode ID: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
                                                                  • Instruction ID: 9c3e8f75c9e591130820bb2956cb3806339feb13e112d9af22726fcddd3bd126
                                                                  • Opcode Fuzzy Hash: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
                                                                  • Instruction Fuzzy Hash: 12026C32314A8095FB52EB72D4917EE2765EB983C4F805022BB4E97AEBDF35C649C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140033540, Relevance: .4, Instructions: 364COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 76dd430cce1ce6768c64dce55b4180b759221ef9574e8c45ed07b1ebd879cb4c
                                                                  • Instruction ID: d0d419901b6e3c3183ee3913f1137c5e588d0fadc92f77f7791849e6aeb29d3b
                                                                  • Opcode Fuzzy Hash: 76dd430cce1ce6768c64dce55b4180b759221ef9574e8c45ed07b1ebd879cb4c
                                                                  • Instruction Fuzzy Hash: 8A029132614A8095EB22EF32D4913EE6765FB98388F904412FB4E57AFADF34C649C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: adb9de39e3049ab5455ed32541b517d82ebf0524dcb0a324d3a012e30b74715a
                                                                  • Instruction ID: fccd9241a873054b7c24d42fb58abb6f012b2f7f19fe3a4c061a127f88627f2a
                                                                  • Opcode Fuzzy Hash: adb9de39e3049ab5455ed32541b517d82ebf0524dcb0a324d3a012e30b74715a
                                                                  • Instruction Fuzzy Hash: 41E18E3271068095FB12EB76D8917EE6765EB983C8F804021BB0D5BAEBEF35C645C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
                                                                  • Instruction ID: 02ee9b89192d395c78975687d30e6fb06be8b995001c736011e159ca0d17724c
                                                                  • Opcode Fuzzy Hash: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
                                                                  • Instruction Fuzzy Hash: E2E13D32714A4095EB02EB66D4913EE6765FB983D8F900012FB4D97AFAEF34CA49C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
                                                                  • Instruction ID: 95da75048f27146dafc5de9d612871b80806eb61125b8034b1f63b71f4cba504
                                                                  • Opcode Fuzzy Hash: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
                                                                  • Instruction Fuzzy Hash: 47F12C3262498096EB12EB62D8513ED6365FBD8388F814522BB4E479FBEF74CA05C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
                                                                  • Instruction ID: cf5fdc312f2229dc6ff813412d90ddbabd12b8e4de7574aebc9877f7d05b411a
                                                                  • Opcode Fuzzy Hash: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
                                                                  • Instruction Fuzzy Hash: 28D19032711A4195EB12EB76D4903EE23A1EB993C4F844425BF4E57BEAEF38C605C350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140064080, Relevance: .3, Instructions: 304COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
                                                                  • Instruction ID: bf23390ce128f79092fde7b2b9043ef6653a4f1b38eae35900255c6e9c132ad5
                                                                  • Opcode Fuzzy Hash: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
                                                                  • Instruction Fuzzy Hash: ABC1D4231282D04BD7569B3764503FAAE91E79A3C8F280655FFC997AEBD63CC2149B10
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
                                                                  • Instruction ID: d0d512be425b72175eef7d799d9923e381f6a995b1e0446f0295c878f1c0c086
                                                                  • Opcode Fuzzy Hash: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
                                                                  • Instruction Fuzzy Hash: CED13972724A4091EB02EB76D4913EE6765F7983C8F904016BB4D97ABAEF38C605C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140030530, Relevance: .3, Instructions: 294COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
                                                                  • Instruction ID: 96955b53f7f5b4430e01eb0035ad3df088e7672fa3a311151148bede835f9000
                                                                  • Opcode Fuzzy Hash: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
                                                                  • Instruction Fuzzy Hash: E7C16136B0564089FB22EB76D0613EF27A1AB9C388F554425BF4E976FADE34C506C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002A110, Relevance: .3, Instructions: 291COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileFindNext
                                                                  • String ID:
                                                                  • API String ID: 2029273394-0
                                                                  • Opcode ID: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
                                                                  • Instruction ID: 08807915bc927436db1a901aa043915a979950c5e23cf508b5f0d65b77d78aa9
                                                                  • Opcode Fuzzy Hash: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
                                                                  • Instruction Fuzzy Hash: 0CD17032614A8096EB02EB26D4513EE6364FBD97C4F815122FB4D57AEBDF38CA05C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005F490, Relevance: .3, Instructions: 281COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
                                                                  • Instruction ID: f96005f1b71c62cd91ec633b0fa556b6f093996ab6e40a041e3cbd638a23d0d9
                                                                  • Opcode Fuzzy Hash: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
                                                                  • Instruction Fuzzy Hash: C1C1BD3270164096FB12EF76D4413ED23A4EB883A8F484622BF2D57AE6EF38D955D350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
                                                                  • Instruction ID: 38de139323f3e079e5738bdd278af51575638bb101dd3218b17e6965c0953cb4
                                                                  • Opcode Fuzzy Hash: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
                                                                  • Instruction Fuzzy Hash: 1DB16A3671062094FB46EBA2D8A17DE2365BB89BC8F825025FF0D67BA7DE38C505C354
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140031540, Relevance: .3, Instructions: 274COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
                                                                  • Instruction ID: bfe4e87f351d28bd3d3693bc96d2151355ab9388d993d4a46e39ffd0a3f78ad6
                                                                  • Opcode Fuzzy Hash: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
                                                                  • Instruction Fuzzy Hash: E6C16332704A809AFB22EBB2D4513EE2365AB9C3D8F854521BF1E676EADF30C505C354
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
                                                                  • Instruction ID: f23c3879964f3f83b961310f1bad7f7be1ef7afa2b68ec7d59790f469601a501
                                                                  • Opcode Fuzzy Hash: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
                                                                  • Instruction Fuzzy Hash: A9A10231211E8145EBA79A2798543EF27A6AB8C3D4F645825FF0E5B6E9EF34C901C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
                                                                  • Instruction ID: c0d98bc7e162404dc537a7c1af49e5fbe25e03b535df8b2493956c53732576b9
                                                                  • Opcode Fuzzy Hash: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
                                                                  • Instruction Fuzzy Hash: B2A114F31182A486FB778A2685413FA7FE2E719789F254402FB8A435F6C63CC985D720
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140066020, Relevance: .3, Instructions: 255COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
                                                                  • Instruction ID: d17e179c4ad3c1814a715198efb3da372d22ab0628f3c9d9f6a3a053a6971865
                                                                  • Opcode Fuzzy Hash: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
                                                                  • Instruction Fuzzy Hash: 79A1903271164045EB22EB7298507EE67E6AB9C3C8F550925BF4D47BEAEF34CA068310
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
                                                                  • Instruction ID: 7cb660c1bafc6db3c15f0a4866a94b05aa7759728bb06ab0739d07cd917ce7e2
                                                                  • Opcode Fuzzy Hash: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
                                                                  • Instruction Fuzzy Hash: 33B18C7262464191EB12EB62E4913EE6365FB9C7C4F801022FB4E47ABBDF38C649C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                                                                  • Instruction ID: ff1b56ecf022c2229069a5389c0477a62f006b84fd5f9f69eebb894724ab9066
                                                                  • Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                                                                  • Instruction Fuzzy Hash: 44A125F21182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014006B424, Relevance: .2, Instructions: 248COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                                                                  • Instruction ID: f965aa676d2cc64f6a485257af634002c7fef1377d4791c8bed9b1b7e56d6411
                                                                  • Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                                                                  • Instruction Fuzzy Hash: 79A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                                                                  • Instruction ID: 86c182e730ead1fa639f737d8458d4edb1cdee6041daaa12aedc2aef895c7c0c
                                                                  • Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                                                                  • Instruction Fuzzy Hash: 83A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014006B436, Relevance: .2, Instructions: 248COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                                                                  • Instruction ID: 7a8579acbe1e06e5dcc528155c10978c06d1d02f61772b3afab02cdca005db6d
                                                                  • Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                                                                  • Instruction Fuzzy Hash: 3EA115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014006B446, Relevance: .2, Instructions: 248COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                                                                  • Instruction ID: 9b5f4d2890da7bc9148b0c777fb781a5a0913674a9f0c1f21bc34f13756e8484
                                                                  • Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                                                                  • Instruction Fuzzy Hash: 37A114F31182A489FB778A2685413FA7FE2E719789F254402FB8A475F6C23CC985D720
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
                                                                  • Instruction ID: 9e8436de532ad8a8b9d83a7ce7f67d33a1e65f1b543d517c902b78be038a8119
                                                                  • Opcode Fuzzy Hash: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
                                                                  • Instruction Fuzzy Hash: 6FA19F3271464095EB22EB72D4913EE63A5A78C7C8F914426FF0D57AFAEE38C609C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140001010, Relevance: .2, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
                                                                  • Instruction ID: 891caef274385c1d9a1a05b5f8e139ad0eea2bdcde326525a3acf11d5ee056db
                                                                  • Opcode Fuzzy Hash: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
                                                                  • Instruction Fuzzy Hash: 79918D7270164095EB16EF66E4507EE23A5ABDC7C4F448425BF4E97BA6EE34C906C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dbe13e77ec2a6c39a7eeb857abf77be5bd43dd3bfff72b646a5cfb36ea006c22
                                                                  • Instruction ID: 09ec91f3f7d35e473cfa3e72b303784d96220d522314983c3d838af10b8059fe
                                                                  • Opcode Fuzzy Hash: dbe13e77ec2a6c39a7eeb857abf77be5bd43dd3bfff72b646a5cfb36ea006c22
                                                                  • Instruction Fuzzy Hash: C4A16E32314A8095FB22EB72D8513EE2365EB987D4F940426BB4D57AFADF34CA05C710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140018300, Relevance: .2, Instructions: 211COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
                                                                  • Instruction ID: 9282ef7f3f2e177ec3162a27807bc3d77d508fe5c2bed51c5ff564ba7b898efa
                                                                  • Opcode Fuzzy Hash: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
                                                                  • Instruction Fuzzy Hash: 99912232B15A4099FB12EBB2D4913ED23659B9C7C8F814525BF0DA76EBEE34C609C350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
                                                                  • Instruction ID: a01e236db0e61280ae7bc249da652572acbbc64743681568c883ee8cb5c556df
                                                                  • Opcode Fuzzy Hash: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
                                                                  • Instruction Fuzzy Hash: D7916C3272468092FB12EB62D4957DE6365FB9C7C4F811022BB4D43AABDF78C544CB10
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400276C0, Relevance: .2, Instructions: 202COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
                                                                  • Instruction ID: bfac23c94d9038130fb0cc9f6c7292f6f1aa2b418e68c536fc9a693e481bc66c
                                                                  • Opcode Fuzzy Hash: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
                                                                  • Instruction Fuzzy Hash: 1E91B13270164096FB22EB22D4517EE23A0EB9C3C8F855426BB4E57AFADF34C944C351
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
                                                                  • Instruction ID: 348a5c641c523964159132b8cb670365254cd557f13034448bd6fc243d7f1d42
                                                                  • Opcode Fuzzy Hash: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
                                                                  • Instruction Fuzzy Hash: AB81503271064095FB12EB76D8913EE63A5AB9D7C8F944621BF0D4BAEAEF34C605C350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140016100, Relevance: .2, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
                                                                  • Instruction ID: 4362bffb4ce140633d60009826b42a117c21897de7dbf4a94b418fc321f1d931
                                                                  • Opcode Fuzzy Hash: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
                                                                  • Instruction Fuzzy Hash: 35812032714A809AFB12EB72D4513ED2365EB9C388F814425BB4E67AEBEF35C605C354
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140032650, Relevance: .2, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
                                                                  • Instruction ID: a8b049447ef23dc7a2f3147d56ae0c312f8ac6a7955db6ed7517384e00930876
                                                                  • Opcode Fuzzy Hash: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
                                                                  • Instruction Fuzzy Hash: 0371893270264096FB66AB7294503EE6391EB9C7C8F054526BB1D47BEAEF39C905C360
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
                                                                  • Instruction ID: 4c1290556f20f3e20b66d81894b0d385f6ea8bc2319cc982c81cb2944955426d
                                                                  • Opcode Fuzzy Hash: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
                                                                  • Instruction Fuzzy Hash: 6E61B031301A4041EA66E737A9517EF97929F9D7D0FA44621BF5E877FAEE38C9028700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014005D850, Relevance: .2, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
                                                                  • Instruction ID: 50d9e92313d7fbe24902196c924c1612cff9653e99501bbf2772a847790ebefc
                                                                  • Opcode Fuzzy Hash: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
                                                                  • Instruction Fuzzy Hash: 7D618D3271464496FB22EB72C0913EE23A5ABDC7C8F854422BF4D57AEAEE35C501C791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140001620, Relevance: .2, Instructions: 166COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
                                                                  • Instruction ID: f8f81a1e6eeb4aa67bd22a5a7a70358e1ddf5b3241a247c9d5674b6b5ab46101
                                                                  • Opcode Fuzzy Hash: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
                                                                  • Instruction Fuzzy Hash: 9061C43262465091FB21EB26E0517EE6360FBCD7C4F815122BB5D47AEAEF79C541CB10
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
                                                                  • Instruction ID: f33abad4c1c8ba015261be05896130ca5dc3e7c07ce7e813c180037223ea8262
                                                                  • Opcode Fuzzy Hash: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
                                                                  • Instruction Fuzzy Hash: 08718E32714A809AEB12EF76D4913EE7761F798388F844026FB4D47AAADF74C548CB10
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$ClosePointerRead
                                                                  • String ID:
                                                                  • API String ID: 2610616218-0
                                                                  • Opcode ID: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
                                                                  • Instruction ID: 125c4d10a522e701d1fb6d0f1aef761f583aa31ccbb75f1db25899523a723602
                                                                  • Opcode Fuzzy Hash: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
                                                                  • Instruction Fuzzy Hash: 0151633271468052FB22EBB6E4513EE6761EBD83C4F951122BB4D47AEADE38C544CB01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140031340, Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
                                                                  • Instruction ID: 50cb9f747c07e87171e39f534f7bbd71060f83f950b2ada1a46c15cbddfc577a
                                                                  • Opcode Fuzzy Hash: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
                                                                  • Instruction Fuzzy Hash: A0511B32700A4096FB12EB76D4917EE2365AB9C7C8F954421BF0DA7AEADF34C605C350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002F840, Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
                                                                  • Instruction ID: 9602d307e9de31d357e639a9611a18ab9b6f2b9e1d5f0c6a8a00986c6f50d329
                                                                  • Opcode Fuzzy Hash: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
                                                                  • Instruction Fuzzy Hash: 7F51AD32200A40A2EA22EB22D9957FE63A5F7DC7D0F854626FB0D836B6DF34C556D710
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$PointerRead
                                                                  • String ID:
                                                                  • API String ID: 3154509469-0
                                                                  • Opcode ID: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
                                                                  • Instruction ID: aca98edda921e0e11dbb2b437e66833b6d9475281c93859f86ded24665675a69
                                                                  • Opcode Fuzzy Hash: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
                                                                  • Instruction Fuzzy Hash: E5516E3271465095FB52EB76E4913EE6761EBD8388F850026BB4E479EADF38C948CB04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
                                                                  • Instruction ID: fec891e6c53086f7b9094a78f95b73510c7007b912bc3ef8a41aa8e11e9acb14
                                                                  • Opcode Fuzzy Hash: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
                                                                  • Instruction Fuzzy Hash: 01413D31B2066095FB12EB7798513EE13A6ABDC7C4F994421BF0E97AEADE38C5058314
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
                                                                  • Instruction ID: 4d6ce7f696a26fe9a74b6bb9734e6d6bbac3d85ccec2ef1c97bdec5ab73240ea
                                                                  • Opcode Fuzzy Hash: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
                                                                  • Instruction Fuzzy Hash: FC51D732610B9085E785DF36E4813DD33A9F748F88F58413AAB8D4B7AADF348152C764
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000001400286B0, Relevance: .1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateMutex
                                                                  • String ID:
                                                                  • API String ID: 1964310414-0
                                                                  • Opcode ID: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
                                                                  • Instruction ID: a9185cf0004c76bb3001b2cb896eaa84c5f9aff40342764b4326ba4d96cea24c
                                                                  • Opcode Fuzzy Hash: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
                                                                  • Instruction Fuzzy Hash: 9F514632310B81A2E74EDB32E5813D9B369FB8C384F908415EB9813AA6DF35D676D704
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140022340, Relevance: .1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
                                                                  • Instruction ID: 1e1e8128ca37617077ad8d3bddb138d765a5f71e348f586f351b06e9a9582713
                                                                  • Opcode Fuzzy Hash: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
                                                                  • Instruction Fuzzy Hash: 5C51C773611B9085E745DF36E8813DD37A8F748F88F58413AEB894B6AADF308156C760
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
                                                                  • Instruction ID: 5f416d68214368cc8d497caad67b5ad9eebcd67f96a0df70edf52f54e079c757
                                                                  • Opcode Fuzzy Hash: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
                                                                  • Instruction Fuzzy Hash: DE31F53221099842FBA6471B9C613F93292E79C3E4F649625FB8E537F4D67DC8038B80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140005370, Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
                                                                  • Instruction ID: 604a730c127844f2816d2636316060c5dd02da03d6f4240a24423d76594c64fe
                                                                  • Opcode Fuzzy Hash: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
                                                                  • Instruction Fuzzy Hash: 55313F32610B9091E749DB36D9813DD73A9F78CB84FA58526A39847AA6DF35C177C300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000000140007EA0, Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000000.00000002.687661676.0000000140000000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687768542.0000000140080000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687788577.0000000140092000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.687799880.0000000140094000.00000002.00020000.sdmp Download File
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
                                                                  • Instruction ID: 1d8fa33d8030516f9812c7435f1c2f5fee2e6c5a40d503ba1f82db291cb841dc
                                                                  • Opcode Fuzzy Hash: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
                                                                  • Instruction Fuzzy Hash: 7131DC32600B4080E745DF3699813EDB3E9FBACB88FA9853697484A9B6DF35C157D310
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Analysis Process: rundll32.exe PID: 7064 Parent PID: 7076 rundll32.exeCOMMON

                                                                  Executed Functions

                                                                  Function 000001E0D2A42252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.749534130.000001E0D2A40000.00000040.00000001.sdmp, Offset: 000001E0D2A40000, based on PE: true
                                                                  Similarity
                                                                  • API ID: ProtectVirtual$NodeRemove
                                                                  • String ID:
                                                                  • API String ID: 3879549435-0
                                                                  • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction ID: b0e7f6e76d41bfe1e3069623095e4e191fd6ff6c379fd4819ee9089f2f7444eb
                                                                  • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction Fuzzy Hash: 47B14576618BC486D770CB9AE4407DEB7A0F7C9B90F108026DE8D57B58CBB9C8828F40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 000001E0D2A42057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001E0D2A429A8), ref: 000001E0D2A420A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.749534130.000001E0D2A40000.00000040.00000001.sdmp, Offset: 000001E0D2A40000, based on PE: true
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction ID: 71e249d257b610f692396ceb74303f433c4c971ca54c70306f0c207d24e65c1c
                                                                  • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction Fuzzy Hash: 2F314B72615B8086D780DF5AE45479A7BA1F389BD4F204026EF8D87B18DF7AC482CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: rundll32.exe PID: 7144 Parent PID: 7068 rundll32.exeCOMMON

                                                                  Executed Functions

                                                                  Function 00000250D7B82252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.666628941.00000250D7B80000.00000040.00000001.sdmp, Offset: 00000250D7B80000, based on PE: true
                                                                  Similarity
                                                                  • API ID: ProtectVirtual$NodeRemove
                                                                  • String ID:
                                                                  • API String ID: 3879549435-0
                                                                  • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction ID: 61a0d48b31624be397014d99b72d805030a88fed5b4d0a17b14278b68cce3dc0
                                                                  • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction Fuzzy Hash: 16B14277619BC486D7308B5AE8807DAB7A4F7C9B90F108126EE8957B59CB79C841CF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00000250D7B82057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000250D7B829A8), ref: 00000250D7B820A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.666628941.00000250D7B80000.00000040.00000001.sdmp, Offset: 00000250D7B80000, based on PE: true
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction ID: 4a8e44fdbc5e8916b243b13dea4114e45f0472a0d628cfc7f714c26025eac82d
                                                                  • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction Fuzzy Hash: FA315E72615B8486D780DF1AE49475A7BB4F389BD4F205026EF8D87B18DF3AC442CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: rundll32.exe PID: 5516 Parent PID: 7076 rundll32.exeCOMMON

                                                                  Executed Functions

                                                                  Function 0000022202A52252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.675150776.0000022202A50000.00000040.00000001.sdmp, Offset: 0000022202A50000, based on PE: true
                                                                  Similarity
                                                                  • API ID: ProtectVirtual$NodeRemove
                                                                  • String ID:
                                                                  • API String ID: 3879549435-0
                                                                  • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction ID: 3a8cb5738cdf9acccabc7971024b52ca2bcfe97679019175a6d5067d01eeb229
                                                                  • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction Fuzzy Hash: 1AB16376618BD486E730CB5AE4407AEB7A0F7D9B80F108126EE8953B58DF7EC9458F40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000022202A52057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000022202A529A8), ref: 0000022202A520A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.675150776.0000022202A50000.00000040.00000001.sdmp, Offset: 0000022202A50000, based on PE: true
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction ID: 170c903ac0eac4c2b0c03ac5284a82a8a6f1f107aeb7664906deb1a8a5f9f0cd
                                                                  • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction Fuzzy Hash: 48314B72615B90C6D780DF1AE45476A7BA4F389BC4F204126EF8D87B18DF3AC446CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: rundll32.exe PID: 6800 Parent PID: 7076 rundll32.exeCOMMON

                                                                  Executed Functions

                                                                  Function 0000023B9EE32252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.682308639.0000023B9EE30000.00000040.00000001.sdmp, Offset: 0000023B9EE30000, based on PE: true
                                                                  Similarity
                                                                  • API ID: ProtectVirtual$NodeRemove
                                                                  • String ID:
                                                                  • API String ID: 3879549435-0
                                                                  • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction ID: 3ce825e6f00364b810559aad6343a07743b2619bb911eaaa3dfd3c1039823c2b
                                                                  • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction Fuzzy Hash: 54B13276618BC98AD7708F1AE4407AAB7A1F7C9B80F108126EFC957B58DB7DC9418F40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000023B9EE32057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000023B9EE329A8), ref: 0000023B9EE320A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.682308639.0000023B9EE30000.00000040.00000001.sdmp, Offset: 0000023B9EE30000, based on PE: true
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction ID: 3356b7ebc5b99e25537a38b9bdc841a857f6ed33fa442823d4e2320e9f8bd7ae
                                                                  • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction Fuzzy Hash: BA314976615B9486D780DF1AE45475A7BA0F389BC4F209026EF8D87B28DF3AC442CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: bdechangepin.exe PID: 6932 Parent PID: 3424 bdechangepin.exeCOMMON

                                                                  Executed Functions

                                                                  Function 0000019744AE2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.787121419.0000019744AE0000.00000040.00000001.sdmp, Offset: 0000019744AE0000, based on PE: true
                                                                  Similarity
                                                                  • API ID: ProtectVirtual$NodeRemove
                                                                  • String ID:
                                                                  • API String ID: 3879549435-0
                                                                  • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction ID: f0fc8a5d39dadf131dfda158010b06478422453b10e12341a93a96665533f569
                                                                  • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction Fuzzy Hash: D9B14277618BD486E730CB1AE4907DEB7A1F7C9B84F108026EE8957B99CB79C8418F40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000019744AE2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000019744AE29A8), ref: 0000019744AE20A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.787121419.0000019744AE0000.00000040.00000001.sdmp, Offset: 0000019744AE0000, based on PE: true
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction ID: 3b3a378d862d369cd4b027d864ec9f4daa6d079533a8364576ef181a5d202319
                                                                  • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction Fuzzy Hash: C2314B72715B9086D790DF1AE49579A7BA0F789BC4F204026EF8D87B68DF3AC442CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00007FF636983364, Relevance: 77.4, APIs: 42, Strings: 2, Instructions: 419windowthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Direct$CriticalHost@Section$Element@Native$CommandDefer@FreeHandleInitLineLocalMetricsSystem$ArgvCloseCreate@D__@@DeleteElement@2@@EnterErrorImageInitializeLastLeaveLoadMessageModuleN__@@PrivProcessPumpShowStartThreadUninitializeV12@@Visible@Window@
                                                                  • String ID: -pw$Local\BitLockerChangePinTaskDialogMutex
                                                                  • API String ID: 1726267134-757397444
                                                                  • Opcode ID: 76922dc35f6a723739b84a54169290cfef6b75a38fd6a213202ea3858f22e92d
                                                                  • Instruction ID: 2528ecd4441269f7ce56cfdeb5d34ed51481ac00391f6511a1901d73d397d49c
                                                                  • Opcode Fuzzy Hash: 76922dc35f6a723739b84a54169290cfef6b75a38fd6a213202ea3858f22e92d
                                                                  • Instruction Fuzzy Hash: 2F028B22B08B4386F7109BA5D850ABE26A0FB88B94F444135DA5EC77FEDF7EE4459700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636986640, Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 209registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CloseLoad$Open$AttributesFilememset
                                                                  • String ID: BitLockerSoftwareRoot$BitLockerSystemRoot$Software$System$\Windows\System32\Config\SOFTWARE$\Windows\System32\Config\SYSTEM
                                                                  • API String ID: 2431187396-598360934
                                                                  • Opcode ID: fe70c49d0d90dce462cc6d1125eff503f7dcd2e22a9fff5bd01a62ef53043111
                                                                  • Instruction ID: e337ddac8f7154c500e58b627482be31f6bb6e0c639212fd167b133fe85dfc9f
                                                                  • Opcode Fuzzy Hash: fe70c49d0d90dce462cc6d1125eff503f7dcd2e22a9fff5bd01a62ef53043111
                                                                  • Instruction Fuzzy Hash: 9E916036718B5782FB109B65E880A7933A0FB88B90F404135DA4DCB7EADF7EE5159340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636982264, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 135windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: MessageSend$InvalidateRect$Descendent@DirectElement@FindV12@
                                                                  • String ID: existingpassphraseedit$newpassphraseconfirmedit$newpassphraseedit$showpassphrasebox
                                                                  • API String ID: 516632944-103220476
                                                                  • Opcode ID: 67b16738ad21a465b99e534a54e2184bfd48cbb60a40683917c2fbc2316b76a1
                                                                  • Instruction ID: bd9980d81dcc19b09d3cce20a0881d65741dbdc09b0509d0078eddd509a2b4b1
                                                                  • Opcode Fuzzy Hash: 67b16738ad21a465b99e534a54e2184bfd48cbb60a40683917c2fbc2316b76a1
                                                                  • Instruction Fuzzy Hash: 9B512E25B18B4782FB509B26E890E796760EF88FD5F085032CE1D837BADE2EE445D310
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF63698459C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Binding$FreeString$AllocateAuthComposeErrorFromInfoInitializeLastmemset
                                                                  • String ID: ncalrpc
                                                                  • API String ID: 580237516-2983622238
                                                                  • Opcode ID: ffca1b6733c3b555366aa9d1af3a62c4655c2a5e006541ca7d510486c995244e
                                                                  • Instruction ID: 4fd4e3ee74c8db93195e38854debc6adb8d92784bc0119a62add05f991d2fe3d
                                                                  • Opcode Fuzzy Hash: ffca1b6733c3b555366aa9d1af3a62c4655c2a5e006541ca7d510486c995244e
                                                                  • Instruction Fuzzy Hash: 92515832615B52DAE720CF21E480AAD73A8FB48B48F404136EA4D87FADDF3AD611D750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636987810, Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 4104442557-0
                                                                  • Opcode ID: 98a429dd23b229b82f1a5f70776a26035a84b823d9496090038f780a9b3254de
                                                                  • Instruction ID: 012b41c3b055f82b88c2db6ca0d19406b2bca7a33b553cf62e706afa03ed35ca
                                                                  • Opcode Fuzzy Hash: 98a429dd23b229b82f1a5f70776a26035a84b823d9496090038f780a9b3254de
                                                                  • Instruction Fuzzy Hash: 8F112E26A04F428AEB50DF71EC8446833E4FB49758B440A35EA6D8B7A9EF3DD5A4C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636984730, Relevance: 3.1, APIs: 2, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Free$Binding$String$Call3ClientComposememset
                                                                  • String ID:
                                                                  • API String ID: 2038241420-0
                                                                  • Opcode ID: ebe869c4374bae0ca1b6624b7e92eeb92782a4c490e984b911fdae9066fcb142
                                                                  • Instruction ID: 8ab23fd5bc9718cbf8765b2e0985fee21d2bbb68cfa8197a4e362d082671cf62
                                                                  • Opcode Fuzzy Hash: ebe869c4374bae0ca1b6624b7e92eeb92782a4c490e984b911fdae9066fcb142
                                                                  • Instruction Fuzzy Hash: 79316E32718B8282E720CB11E45079AB7A5FB88784F904131EA8DC7BAADF7ED545DB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636984868, Relevance: 3.1, APIs: 2, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Free$Binding$String$Call3ClientComposememset
                                                                  • String ID:
                                                                  • API String ID: 2038241420-0
                                                                  • Opcode ID: 60b8002d99e1354d66fc89b44eb25b24c65c9ce353ff4f575f4ded5bf7509751
                                                                  • Instruction ID: aedf77b8b10e01118959718d4cadb49d4a816e88e1ba1e2a7d21d63d1692c1b6
                                                                  • Opcode Fuzzy Hash: 60b8002d99e1354d66fc89b44eb25b24c65c9ce353ff4f575f4ded5bf7509751
                                                                  • Instruction Fuzzy Hash: 18313072718B8692E720CB11E49479A63A5FB88784F500135EB8DC7BAEDF3ED905DB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636984932, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: BindingFree
                                                                  • String ID:
                                                                  • API String ID: 3284907940-0
                                                                  • Opcode ID: a7e0870742896af71d2776a80ce6c1852107b2e0e574e5faa162025d2ed55672
                                                                  • Instruction ID: 268ad43f6163a137a3188cc6e2085162a91594b88fdefa058a347a7612d582fb
                                                                  • Opcode Fuzzy Hash: a7e0870742896af71d2776a80ce6c1852107b2e0e574e5faa162025d2ed55672
                                                                  • Instruction Fuzzy Hash: 1AF0623230468596E764CB25D05876A63E1F7CC744F950036EB5DD77A9CF3ED8499B00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6369847F9, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: BindingFree
                                                                  • String ID:
                                                                  • API String ID: 3284907940-0
                                                                  • Opcode ID: 0d5a996c01ddda6f5b3f80dbfb325a766c75822b093e20c0e086ef10245fd7f1
                                                                  • Instruction ID: e435fcbae92b5cbff63d5d0545a9845df264dbd0f378afd73ec670a2340b9ca5
                                                                  • Opcode Fuzzy Hash: 0d5a996c01ddda6f5b3f80dbfb325a766c75822b093e20c0e086ef10245fd7f1
                                                                  • Instruction Fuzzy Hash: 14F0AF3230468182E764CB15D410BAA63A1F7CC790F804136EB4DC77A9DF7AC845CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636987680, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 2f7acc2ad49c88dd9eb9ae720a74624bd86b1c9a7bdbd5b5133a10c0c8195a75
                                                                  • Instruction ID: 76684e4f9dea433561dfeb9eea273bc6fcd76a074da74c403818b1a6223665b0
                                                                  • Opcode Fuzzy Hash: 2f7acc2ad49c88dd9eb9ae720a74624bd86b1c9a7bdbd5b5133a10c0c8195a75
                                                                  • Instruction Fuzzy Hash: E0B01210F25413C1F604AF21DCED46422B07F5C700FC00470C01DC93B9DE1E919B9700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6369849E0, Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: HeapProcess
                                                                  • String ID:
                                                                  • API String ID: 54951025-0
                                                                  • Opcode ID: bc1deba542bfda37e01268e20b76bf300807bef3b48721de5dda5d542bedcf19
                                                                  • Instruction ID: caaa1b652ab24ccf91ae9528d10c313e81e1c1e4b0fd23be6a8d9aa61d38f348
                                                                  • Opcode Fuzzy Hash: bc1deba542bfda37e01268e20b76bf300807bef3b48721de5dda5d542bedcf19
                                                                  • Instruction Fuzzy Hash: E7C08C01E48A0F81F61847E3680082A42A1AB6DBA0B0C4030CE2C4537A9C2D50838200
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636982840, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 249windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectElement@$LayoutPos@$Enabled@$ContentErrorFormatFreeLastLocalMessageString@$Descendent@FindV12@
                                                                  • String ID: changepassphrasebutton$changepassphrasedialogtitle$changepassphrasenonosdialogtitle$changepinbutton$managebitlockerlink$managebitlockerpassphraselink$passphrasechangepanel$passphraseconstraintstext$passphrasehelplink$pinchangepanel$pinconstraintstext
                                                                  • API String ID: 2795573596-1854213016
                                                                  • Opcode ID: cb494afbacc0b486f6acf3c3fee223ec6d6bfeb74cf1d837c5320dabc2b971e9
                                                                  • Instruction ID: 6147d3463bbfa71dd3fe7ed5ed270deb32a769d417bb01188e521e2fd63cd5c7
                                                                  • Opcode Fuzzy Hash: cb494afbacc0b486f6acf3c3fee223ec6d6bfeb74cf1d837c5320dabc2b971e9
                                                                  • Instruction Fuzzy Hash: B5B12C21B04A5386F7109B65D850BB927A1FF88798F445132DA0ECB7FEDF6EE4859380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6369825C0, Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CriticalEnterMessagePostSection
                                                                  • String ID: cancelbutton$changepassphrasebutton$changepinbutton$closebutton$existingpassphraseedit$existingpinedit$newpassphraseconfirmedit$newpassphraseedit$newpinconfirmedit
                                                                  • API String ID: 2006568331-3932964519
                                                                  • Opcode ID: 3913a94bbe49ad233a3ef2b2606e5076512f48897602c7a63fbf2f5ed214dad2
                                                                  • Instruction ID: 008876dd4703490497b3f0e3469ff51e9ee1f0561c1def8e201492868bc3b090
                                                                  • Opcode Fuzzy Hash: 3913a94bbe49ad233a3ef2b2606e5076512f48897602c7a63fbf2f5ed214dad2
                                                                  • Instruction Fuzzy Hash: C461D921E0864381FB509B16D844AB823A1FF90B55FC98032CA5DC7BFADF6EE594E354
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636981FEC, Relevance: 36.9, APIs: 12, Strings: 9, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32 ref: 00007FF636982005
                                                                    • Part of subcall function 00007FF636981B0C: ?GetEncodedContentString@Element@DirectUI@@QEAAJPEAG_K@Z.DUI70 ref: 00007FF636981B6F
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF63698214D
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636982159
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636982165
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636982171
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF636982182
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF63698218F
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF63698219B
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF6369821A7
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF6369821B3
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF6369821C2
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF6369821CD
                                                                    • Part of subcall function 00007FF6369816E0: FormatMessageW.KERNEL32 ref: 00007FF63698171D
                                                                    • Part of subcall function 00007FF6369816E0: FormatMessageW.KERNEL32 ref: 00007FF636981752
                                                                    • Part of subcall function 00007FF6369816E0: GetLastError.KERNEL32 ref: 00007FF63698175C
                                                                    • Part of subcall function 00007FF6369816E0: LocalFree.KERNEL32 ref: 00007FF6369818B4
                                                                    • Part of subcall function 00007FF636981C3C: ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981D68
                                                                    • Part of subcall function 00007FF636981C3C: ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981D79
                                                                    • Part of subcall function 00007FF636981C3C: ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981DCF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectElement@$Enabled@$ContentLayoutPos@String@$FormatMessage$CriticalEncodedEnterErrorFreeLastLocalSection
                                                                  • String ID: cancelbutton$changepassphrasebutton$closebutton$errortextpanel$existingpassphraseedit$newpassphraseconfirmedit$newpassphraseedit$passphraseconfirmationtextpanel$showpassphrasebox
                                                                  • API String ID: 2173029526-2738596832
                                                                  • Opcode ID: 324ea08538bbe5acd47320debbe564e6202197056a6a020baa145eb9dc66573b
                                                                  • Instruction ID: 148005b901270b330729460240cc14e8c5cd2431d90934e001cb5f247b4f8539
                                                                  • Opcode Fuzzy Hash: 324ea08538bbe5acd47320debbe564e6202197056a6a020baa145eb9dc66573b
                                                                  • Instruction Fuzzy Hash: E751D565B08A0385F7049B22DD509F92661AF88BD9F454032DE1ECB7BFDE6EE145E340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6369816E0, Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 121windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectElement@$LayoutPos@Visible@$FormatMessage$ContentErrorFreeLastLocalString@
                                                                  • String ID: asciiwarningicon$errortextpanel$pinerrortextpanel$pinstatustext$pinstatustexterroricon$pinwarningicon$statustext$statustexterroricon
                                                                  • API String ID: 2291582882-3989104529
                                                                  • Opcode ID: 8c5b841bf54b8d4a63f967343b3e7210d73d281e463c4729043336634d53a674
                                                                  • Instruction ID: 6cff3fecea20c89054e6bd37ee9684d5f63dce02877f54f90c7c5bc5f7fdf67d
                                                                  • Opcode Fuzzy Hash: 8c5b841bf54b8d4a63f967343b3e7210d73d281e463c4729043336634d53a674
                                                                  • Instruction Fuzzy Hash: 81511722B04A4386F7108B62D891AF927B5BB88799F444131CA5DD37BEDF7EE0859350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636981DF8, Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32 ref: 00007FF636981E11
                                                                    • Part of subcall function 00007FF636981B0C: ?GetEncodedContentString@Element@DirectUI@@QEAAJPEAG_K@Z.DUI70 ref: 00007FF636981B6F
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636981F3E
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636981F4A
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636981F56
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636981F62
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF636981F73
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF636981F80
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF636981F8C
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636981F98
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF636981FA7
                                                                  • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636981FB2
                                                                    • Part of subcall function 00007FF6369816E0: FormatMessageW.KERNEL32 ref: 00007FF63698171D
                                                                    • Part of subcall function 00007FF6369816E0: FormatMessageW.KERNEL32 ref: 00007FF636981752
                                                                    • Part of subcall function 00007FF6369816E0: GetLastError.KERNEL32 ref: 00007FF63698175C
                                                                    • Part of subcall function 00007FF6369816E0: LocalFree.KERNEL32 ref: 00007FF6369818B4
                                                                    • Part of subcall function 00007FF636981C3C: ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981D68
                                                                    • Part of subcall function 00007FF636981C3C: ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981D79
                                                                    • Part of subcall function 00007FF636981C3C: ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981DCF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectElement@$Enabled@$ContentLayoutPos@String@$FormatMessage$CriticalEncodedEnterErrorFreeLastLocalSection
                                                                  • String ID: cancelbutton$changepinbutton$closebutton$confirmationtextpanel$existingpinedit$newpinconfirmedit$newpinedit$pinerrortextpanel
                                                                  • API String ID: 2173029526-488077809
                                                                  • Opcode ID: 7f7634ace810c3cca529f600c15ef0778ad45898f7e6d13ef7efefef2921e811
                                                                  • Instruction ID: 8753cbb488327db41f74332b0d7e0a887bc7958304b7a2d1a43f99f566b36424
                                                                  • Opcode Fuzzy Hash: 7f7634ace810c3cca529f600c15ef0778ad45898f7e6d13ef7efefef2921e811
                                                                  • Instruction Fuzzy Hash: 0C51F465B08A0386FB049B22D9509F92761AF88BD9F444432DE1EC77BFDF6EE445A240
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636982C7C, Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 158windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF636981386), ref: 00007FF636982D2B
                                                                    • Part of subcall function 00007FF6369819DC: ?GetEncodedContentString@Element@DirectUI@@QEAAJPEAG_K@Z.DUI70 ref: 00007FF636981A25
                                                                    • Part of subcall function 00007FF636981A74: ?GetEncodedContentString@Element@DirectUI@@QEAAJPEAG_K@Z.DUI70 ref: 00007FF636981ABD
                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF636981386), ref: 00007FF636982DF4
                                                                  • ?SetVisible@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636982E81
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF636981386), ref: 00007FF636982EF6
                                                                    • Part of subcall function 00007FF636981400: StrToID.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF636981413
                                                                    • Part of subcall function 00007FF636981400: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF63698141F
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF636982EA4
                                                                  • ?SetVisible@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636982EB0
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF636982EBC
                                                                  • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636982ECA
                                                                  • ?SetVisible@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636982ED6
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF636982EE5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectElement@$ContentCriticalLayoutPos@SectionString@Visible@$EncodedEnter$Descendent@FindLeaveV12@
                                                                  • String ID: asciiwarningicon$errortextpanel$pinerrortextpanel$pinstatustext$pinstatustexterroricon$pinwarningicon$statustext$statustexterroricon
                                                                  • API String ID: 1822786922-3989104529
                                                                  • Opcode ID: b5a5310eb885388d62f23053bda821b7c79aa4f1425d798a9d70b6b76d52ae17
                                                                  • Instruction ID: 3273ebe339a8c5ffa99dd6bed10fd4908902e02940b0cd887ccebff0c5e6d65e
                                                                  • Opcode Fuzzy Hash: b5a5310eb885388d62f23053bda821b7c79aa4f1425d798a9d70b6b76d52ae17
                                                                  • Instruction Fuzzy Hash: 3F610C25B08A4386F700DB75D990AF926A0AF48798F451031DA1ECB7FBDF7EE445A384
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6369811C0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 101memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Class$Direct$Info$Info@2@$Base@Edit@Heap$Lock@Ptr@$CritE__@@ProcessPropertyRegister@$AllocElement@Exist@FactoryFreeInitialize@N@@@U32@
                                                                  • String ID: PassphraseEdit
                                                                  • API String ID: 154275901-530614405
                                                                  • Opcode ID: 2c88a1a539d8fc7e2d7124c1dc31fea672409c7cbf23218eadaacd60fa17e8d1
                                                                  • Instruction ID: eb58befab8c328e7507aac092543cc706f9a93a91d607d83f3a7a335afdfde1b
                                                                  • Opcode Fuzzy Hash: 2c88a1a539d8fc7e2d7124c1dc31fea672409c7cbf23218eadaacd60fa17e8d1
                                                                  • Instruction Fuzzy Hash: 01412025A08B0786F7109B66E884A7967A1FF98B85F044035C94EC7BBEDF7EE445E340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636981440, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 96memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Class$Direct$Info$Info@2@$Element@$Base@Heap$Lock@Ptr@$CritE__@@ProcessPropertyRegister@$AllocExist@FactoryFreeInitialize@N@@@U32@
                                                                  • String ID: CDUIHost
                                                                  • API String ID: 1731092042-897944494
                                                                  • Opcode ID: 7f723bc5834cd78941226f12c47ce6d7fd37ffc92f75f477bb1c8f913f1cee66
                                                                  • Instruction ID: d12f02877c9a2e75faa560a0068c2efad15a22eae72088a71f3b257c20ba1b50
                                                                  • Opcode Fuzzy Hash: 7f723bc5834cd78941226f12c47ce6d7fd37ffc92f75f477bb1c8f913f1cee66
                                                                  • Instruction Fuzzy Hash: 64411022A08B0782F7109B66F8849796761BF98B95F044435C95EC37BFDF7EE545A300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF63698312C, Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 132windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FF636981400: StrToID.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF636981413
                                                                    • Part of subcall function 00007FF636981400: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF63698141F
                                                                  • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF636983298
                                                                  • ?SetVisible@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF6369832D1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectElement@$Descendent@FindLayoutPos@V12@Visible@
                                                                  • String ID: elevationicon$existingpassphraseedit$existingpinedit$managebitlockerlink$managebitlockerpassphraselink$newpassphraseconfirmedit$newpassphraseedit$newpinconfirmedit$newpinedit$passphrasehelplink$showpassphrasebox
                                                                  • API String ID: 2513915101-955672393
                                                                  • Opcode ID: 3a43a6a0031a4f8bfe8b0492c3f845969121b4d0a267f01c5a1f5d979dd965b9
                                                                  • Instruction ID: f8834b8e057efe616eb94b604e40981dd1f8890d12c612333405136f4fd152b8
                                                                  • Opcode Fuzzy Hash: 3a43a6a0031a4f8bfe8b0492c3f845969121b4d0a267f01c5a1f5d979dd965b9
                                                                  • Instruction Fuzzy Hash: 33510921604B8795FB148B66D9805E867A4FB48BC8F454032DA5CC7BBFDF6AE445D340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636982F10, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CriticalSection$CloseEnterHandleLeavememset
                                                                  • String ID: %s %c$BitLockerWizard.exe$BitLockerWizardElev.exe$N$open
                                                                  • API String ID: 3635417733-2078271387
                                                                  • Opcode ID: fc9ac554853ef581d349e6d297f85483a07a7b924bf9e992878b7321edd314f9
                                                                  • Instruction ID: 24fd5b6c1a2fd48e040b88976e7584f7ca2ee9aaf48038615b42768b2d9fd94b
                                                                  • Opcode Fuzzy Hash: fc9ac554853ef581d349e6d297f85483a07a7b924bf9e992878b7321edd314f9
                                                                  • Instruction Fuzzy Hash: C4515022628A4786F750CF11E850EA973A0FB88794F494031DE5E877EADF3EE546D740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636981C3C, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FF636981400: StrToID.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF636981413
                                                                    • Part of subcall function 00007FF636981400: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF63698141F
                                                                  • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981D68
                                                                  • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981D79
                                                                  • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981D8C
                                                                  • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981D9D
                                                                  • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF636981DCF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectElement@$ContentString@$Descendent@FindV12@
                                                                  • String ID: existingpassphraseedit$existingpinedit$newpassphraseconfirmedit$newpassphraseedit$newpinconfirmedit$newpinedit
                                                                  • API String ID: 996368024-2592958964
                                                                  • Opcode ID: c438360dc95305a53a0a7554534cda4846efddb7c1d1144d3b4605606e0cfcd9
                                                                  • Instruction ID: 082fda6b09a7e5e653e8f5951fe76e4697ff4c997bbb55d23abbe5a9e9306a02
                                                                  • Opcode Fuzzy Hash: c438360dc95305a53a0a7554534cda4846efddb7c1d1144d3b4605606e0cfcd9
                                                                  • Instruction Fuzzy Hash: 61410325A08A0395FB149B66D490AF827A0BF44788F484432CE5DD77FFDE6EE484E300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6369824B0, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Button@Click@CriticalDirectEnterSection
                                                                  • String ID: cancelbutton$changepassphrasebutton$changepinbutton$closebutton$showpassphrasebox
                                                                  • API String ID: 545058535-3651848391
                                                                  • Opcode ID: d567c88e39e1ca89da8ab2c47ea8f88512a1664561d94a60751c377d85de1eb3
                                                                  • Instruction ID: c919e5842d9a8d278c327c6281a799d6bb657cb3c65df94d1e0beb5a3d56a33b
                                                                  • Opcode Fuzzy Hash: d567c88e39e1ca89da8ab2c47ea8f88512a1664561d94a60751c377d85de1eb3
                                                                  • Instruction Fuzzy Hash: 05312921E1864381FB149B11E49097827A0BF94B81F848036DA4DC7BFFDF2EE591E754
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636986DC0, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 160sleepmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CountTick$EventExclusiveLockUnregister$AcquireAllocLocalReleaseSleep
                                                                  • String ID: <unknown>
                                                                  • API String ID: 1994337231-1574992787
                                                                  • Opcode ID: f8180249c4aa3be7aaf82e5de2eeb97e5728f926c32387e09a576ba47dcbd36e
                                                                  • Instruction ID: 4ab68aafe596dd8ccc0aeb5ea830a2c2d4ebcea85932693e22278f55de1a1374
                                                                  • Opcode Fuzzy Hash: f8180249c4aa3be7aaf82e5de2eeb97e5728f926c32387e09a576ba47dcbd36e
                                                                  • Instruction Fuzzy Hash: 7A814832A19B438AFB508F20E844B6873B4FB44B18F040135DA5D9A7AEDF3EE464E744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6369815A4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Direct$Element@$Parser@$Heap$AllocCreateCreate@D__@@_Destroy@E__@@0@Element@2@Element@2@1FromInitialize@ProcessResource@V12@V32@@Value@2@
                                                                  • String ID: main
                                                                  • API String ID: 4214814137-3207122276
                                                                  • Opcode ID: 5e8c9dbad88ad567b2db061863df961d90422cf49b97a313f19191bdf96d2b1e
                                                                  • Instruction ID: 2e1a8433c268c53a8c60d7559404116fda3548287046602ebede2c11f1a6a55e
                                                                  • Opcode Fuzzy Hash: 5e8c9dbad88ad567b2db061863df961d90422cf49b97a313f19191bdf96d2b1e
                                                                  • Instruction Fuzzy Hash: 86315B32B08B0782F7208B11F854B697BA4FB88B94F444135DE8D877AADF7EE0559700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636984B90, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ErrorExecuteLastShell_vsnwprintfmemset
                                                                  • String ID: %s%s$627551$http://go.microsoft.com/fwlink/?LinkID=$p
                                                                  • API String ID: 1980936024-519059060
                                                                  • Opcode ID: 9e74826c863addad8a5a7387d283b16fadcf054a7ce117ae3646401fe88c9334
                                                                  • Instruction ID: 8c5d8b0f25a2c783e212bd79f913e79eeeb6a2e19fa076267ed9ac56a6b20a2a
                                                                  • Opcode Fuzzy Hash: 9e74826c863addad8a5a7387d283b16fadcf054a7ce117ae3646401fe88c9334
                                                                  • Instruction Fuzzy Hash: 50112E72A18782C6F710DB64E494BAA73A4FB94704F800136D68DC27AADF3ED409DB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6369871CC, Relevance: 10.6, APIs: 7, Instructions: 143sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
                                                                  • String ID:
                                                                  • API String ID: 642454821-0
                                                                  • Opcode ID: 7e88834c3b753a35a261227a4e75bbe1b365646b83400e20212aecfa01c7c444
                                                                  • Instruction ID: df2469a67bc7517998e21287f1c8391697094b0bf59d6d1c2ad2620ad3d562e8
                                                                  • Opcode Fuzzy Hash: 7e88834c3b753a35a261227a4e75bbe1b365646b83400e20212aecfa01c7c444
                                                                  • Instruction Fuzzy Hash: 53617921A1961386FB609B10EC44A7D22E1FB94784F440036EA4DDB7FEDF3EE941A754
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636983AC0, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Direct$Edit@Heap$AllocDestroy@Element@Element@2@Initialize@Process
                                                                  • String ID:
                                                                  • API String ID: 3883584486-0
                                                                  • Opcode ID: 2362e69e1df1e378315b653ef778756de8f3c2b55894585c9482d382eef0a80b
                                                                  • Instruction ID: 9cf42f4a94764426bdb181bed03115671e7665ea01c1adb36b38d6ad90758ca1
                                                                  • Opcode Fuzzy Hash: 2362e69e1df1e378315b653ef778756de8f3c2b55894585c9482d382eef0a80b
                                                                  • Instruction Fuzzy Hash: 3F115B21A09B8782F7008F12F85076962A5AB99F94F188034DE4D8B7BEDE3ED5519304
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636981B0C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ?GetEncodedContentString@Element@DirectUI@@QEAAJPEAG_K@Z.DUI70 ref: 00007FF636981B6F
                                                                  • ?GetEncodedContentString@Element@DirectUI@@QEAAJPEAG_K@Z.DUI70 ref: 00007FF636981BD5
                                                                    • Part of subcall function 00007FF636981400: StrToID.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF636981413
                                                                    • Part of subcall function 00007FF636981400: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF63698141F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectElement@$ContentEncodedString@$Descendent@FindV12@
                                                                  • String ID: existingpassphraseedit$existingpinedit
                                                                  • API String ID: 3893459221-3840953061
                                                                  • Opcode ID: 29a4f5bac47fa025cc766a24d389e7fac7b8e66031a3e613304b52dcf2fdb74f
                                                                  • Instruction ID: 65892b140909b60d917ac2fe53caf33471e67494f699629c83f84f19417a5776
                                                                  • Opcode Fuzzy Hash: 29a4f5bac47fa025cc766a24d389e7fac7b8e66031a3e613304b52dcf2fdb74f
                                                                  • Instruction Fuzzy Hash: 5A310F21B0879381FA109B22E454BAA6B50FF85B88F444131DA4DC77AFEF6FE545D740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6369869C8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Load
                                                                  • String ID: BitLockerSoftwareRoot$BitLockerSystemRoot
                                                                  • API String ID: 2234796835-1323454262
                                                                  • Opcode ID: 771f4218ca7874b87ee5d8906d69bd5ddbe5e2c4973249a46ea28d647eb0fcc3
                                                                  • Instruction ID: d85efb0dbe225f5fcf59f0fb484dd804aef4f35f58c34bb793d1141061293c6e
                                                                  • Opcode Fuzzy Hash: 771f4218ca7874b87ee5d8906d69bd5ddbe5e2c4973249a46ea28d647eb0fcc3
                                                                  • Instruction Fuzzy Hash: 3EE04F9590494782FF1047799404B303210AF08765F940330D96D453FF9F5E91999308
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636987460, Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                  • String ID:
                                                                  • API String ID: 140117192-0
                                                                  • Opcode ID: e94c6722b13373383eda5b57fe1270a7fbf0370d4f4fdd08ec9dabd69819236c
                                                                  • Instruction ID: c2890a53fa2a0c7eaa12f839c1132c9cb4c6e647b7a6e66b677d7d90e4a190b5
                                                                  • Opcode Fuzzy Hash: e94c6722b13373383eda5b57fe1270a7fbf0370d4f4fdd08ec9dabd69819236c
                                                                  • Instruction Fuzzy Hash: B0410A35629B0289FB548B18F88176973A4FB88B48F900136DA8DCB7BADF3ED145D744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636984134, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Volume@@$CurrentEnhanced@Init@
                                                                  • String ID:
                                                                  • API String ID: 4065469480-0
                                                                  • Opcode ID: 20fd4509f056d175d34c518791f6fab929e6063c63696817daf241c600bccf45
                                                                  • Instruction ID: 68af7214619b59a30bb5b537da4b04fe24b4f937973fcb3d74903b853229e842
                                                                  • Opcode Fuzzy Hash: 20fd4509f056d175d34c518791f6fab929e6063c63696817daf241c600bccf45
                                                                  • Instruction Fuzzy Hash: 40214F32718A8396F720CB24E840A9A73A0FB68744F404132DA8DC37AADF3DE915CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636984CA4, Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: InfoVerifyVersion$ConditionMaskmemset
                                                                  • String ID:
                                                                  • API String ID: 1287370140-0
                                                                  • Opcode ID: 8e6e387075e8bc5ebb296514dcf6fbc58e2f95317fbab0f9e62aabc200f61270
                                                                  • Instruction ID: 32d9a4726ad8ccb72e3f5777b1dbade7b07e499acaa29c80592e845d8b33791e
                                                                  • Opcode Fuzzy Hash: 8e6e387075e8bc5ebb296514dcf6fbc58e2f95317fbab0f9e62aabc200f61270
                                                                  • Instruction Fuzzy Hash: B4114F32708A8682F721CB26E48579A77A1FB98B84F444135DA9D877AEDF3DE1058B40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636983CD4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectoryErrorLastSystemWindows
                                                                  • String ID: \\.\
                                                                  • API String ID: 505562763-2900601889
                                                                  • Opcode ID: eb0f741a0b898b9af2021f34ef27f5c6d9f94c6bf566df8234a2807c89a3d62c
                                                                  • Instruction ID: 3021106d18ac63004f771e9fafa7e5cd70e711dd9865f2c92ae1d8eb9c1076c3
                                                                  • Opcode Fuzzy Hash: eb0f741a0b898b9af2021f34ef27f5c6d9f94c6bf566df8234a2807c89a3d62c
                                                                  • Instruction Fuzzy Hash: 6241D022B08B8382FB109BA5C4509B963A4FF08B80F504136CA5CDB7EBDF3EE8159340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF636982C20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FF636981400: StrToID.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF636981413
                                                                    • Part of subcall function 00007FF636981400: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,00007FF636982D88,?,?,?,?,?,00007FF636981386), ref: 00007FF63698141F
                                                                  • ?SetVisible@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF636982C62
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.788359651.00007FF636981000.00000020.00020000.sdmp, Offset: 00007FF636980000, based on PE: true
                                                                  • Associated: 00000010.00000002.788344800.00007FF636980000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788389330.00007FF636992000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788400890.00007FF636993000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000010.00000002.788452534.00007FF6369DE000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DirectElement@$Descendent@FindV12@Visible@
                                                                  • String ID: errortextpanel$pinerrortextpanel
                                                                  • API String ID: 3775671198-1433297383
                                                                  • Opcode ID: f757057e403d445601832b2d355ec33f8362be2fd65834e12261cebbd9df659c
                                                                  • Instruction ID: 97908d2734e30ef2a64794aba823747299feee4337cd8ae7ce703cd7e6a94316
                                                                  • Opcode Fuzzy Hash: f757057e403d445601832b2d355ec33f8362be2fd65834e12261cebbd9df659c
                                                                  • Instruction Fuzzy Hash: 72F05E31A0868782FB018B25E4816F96361FB84788F584032D618CA3BFDFBED584D740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Analysis Process: rdpinit.exe PID: 6476 Parent PID: 3424 rdpinit.exeCOMMON

                                                                  Executed Functions

                                                                  Function 0000018FE0442252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.813293554.0000018FE0440000.00000040.00000001.sdmp, Offset: 0000018FE0440000, based on PE: true
                                                                  Similarity
                                                                  • API ID: ProtectVirtual$NodeRemove
                                                                  • String ID:
                                                                  • API String ID: 3879549435-0
                                                                  • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction ID: 225e51cc627d7ae5410cc692e020e9bf55a459ea4ce5186ec6b78032011770d1
                                                                  • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                                                                  • Instruction Fuzzy Hash: 3AB14376618BC486D770CB1AE4407DEB7A0F7D9B80F51802AEE8957F68CB79C9528F40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000018FE0442057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000018FE04429A8), ref: 0000018FE04420A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.813293554.0000018FE0440000.00000040.00000001.sdmp, Offset: 0000018FE0440000, based on PE: true
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction ID: eca49e751f243f255c870b86a3f01bd1a71f2de2acf6894077d453ba3a94ce11
                                                                  • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                                                                  • Instruction Fuzzy Hash: 24313EB2615B9086D790DF1AE45479A7BA1F389BD4F219026EF4D87B28DF39C446CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00007FF6CE1E3FE0, Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 269COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Free$Binding$ErrorLastProcessString$AddressComposeCriticalCurrentEnterHandleLibraryMessageModuleProcSectionSessionTrace
                                                                  • String ID: 04557228-209a-46b4-aaa4-4eb4c84db7a2$Failed Bind to RailOrderEncoder RPC endpoint$NT AUTHORITY\SYSTEM$RailOrderEncoderRPC#%d#%s$StringCchPrintf for endpoint name failed$ncalrpc
                                                                  • API String ID: 413770416-3087314015
                                                                  • Opcode ID: 60a89f885cf7dd0d7f34f4d91ecd70ffd3104381413d3bcf02f0a136b6f6f445
                                                                  • Instruction ID: 3ec5419ac60faa5a905cd4fe0d3469c011c73d993a89e304a96ccf0a9d6cff7f
                                                                  • Opcode Fuzzy Hash: 60a89f885cf7dd0d7f34f4d91ecd70ffd3104381413d3bcf02f0a136b6f6f445
                                                                  • Instruction Fuzzy Hash: 95E15B31A09A8686FB10DF16E56837936B1BBA4B46F540431F9CDE3EA0DF3CE5528780
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1D1780, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 161windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: MessageMultipleWait$CountObjectsTick$Cursor$ApartmentDispatchHandlesLoadPeekPostQuitTranslateType
                                                                  • String ID:
                                                                  • API String ID: 1073322910-3916222277
                                                                  • Opcode ID: 619600f4555a0eef8f6572a003769378fffb275306b0deb1358da336752aa4ab
                                                                  • Instruction ID: cd8cb8821eb6a930aafec187f45afb4533e099a74e39243e0e2cb83a28857efe
                                                                  • Opcode Fuzzy Hash: 619600f4555a0eef8f6572a003769378fffb275306b0deb1358da336752aa4ab
                                                                  • Instruction Fuzzy Hash: 22615237B085428BF7698F60D85467D2272FB64B66F100035E98AA2ED4CF7DE9A4C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1E9590, Relevance: 9.2, APIs: 6, Instructions: 174nativethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Process$Handle$CloseQuery$AddressFreeFullImageInformationLibraryMessageModuleNameOpenProcThreadTraceWindow
                                                                  • String ID:
                                                                  • API String ID: 202067203-0
                                                                  • Opcode ID: 00d6f965da0f10be55754310b93722f80dcecb9b339703d0803ec5822d808f3c
                                                                  • Instruction ID: 59fca9682fd35feca42adcf86298effb6a00f52d4d37514c572f25e6502aaa16
                                                                  • Opcode Fuzzy Hash: 00d6f965da0f10be55754310b93722f80dcecb9b339703d0803ec5822d808f3c
                                                                  • Instruction Fuzzy Hash: 28718032B09A8686EB248F11E8147AA77B1FB98B45F441031FE8DA7B94DF3CE555C780
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1F8E00, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: _errno
                                                                  • String ID: -$e+000$gfff
                                                                  • API String ID: 2918714741-2620144452
                                                                  • Opcode ID: 9e20edd68ee17f2fc4e83fbf4534dbb48dac201e8d9513dcad8c3d93ca730355
                                                                  • Instruction ID: 7987c94af0dc12c62f15d638ea894cbfa8dd4ffa13c759c10fca514be07ecb04
                                                                  • Opcode Fuzzy Hash: 9e20edd68ee17f2fc4e83fbf4534dbb48dac201e8d9513dcad8c3d93ca730355
                                                                  • Instruction Fuzzy Hash: 24511862B187C14AE7258E35D4513A9AAA2EBA0F91F0C8231EBDD97EC6CE3DD454C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1D2FB4, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(?,?,?,?,00000001,00007FF6CE1D28F2,?,?,?,?,?,?,?,?,CRemoteAppImmersiveHost), ref: 00007FF6CE1D2FD7
                                                                  • RtlPublishWnfStateData.NTDLL ref: 00007FF6CE1D305C
                                                                    • Part of subcall function 00007FF6CE1CE570: GetModuleHandleExA.KERNEL32 ref: 00007FF6CE1CE5A4
                                                                    • Part of subcall function 00007FF6CE1CE570: GetProcAddress.KERNEL32 ref: 00007FF6CE1CE5BA
                                                                    • Part of subcall function 00007FF6CE1CE570: FreeLibrary.KERNEL32 ref: 00007FF6CE1CE5DA
                                                                    • Part of subcall function 00007FF6CE1C10D0: TraceMessage.ADVAPI32 ref: 00007FF6CE1C114F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: AddressCreateDataFreeHandleInstanceLibraryMessageModuleProcPublishStateTrace
                                                                  • String ID: CoCreateInstance (CLSID_NotificationController) failed
                                                                  • API String ID: 269182869-1947567354
                                                                  • Opcode ID: d6e62d34985c2435bff3f491c5bd5887f8750345857d17d44181c1c7a7fa18e3
                                                                  • Instruction ID: 806b7650e5dd5bdfdfa0ffd16770207cc5ee8f2d14390ca205cf3681d6e281a5
                                                                  • Opcode Fuzzy Hash: d6e62d34985c2435bff3f491c5bd5887f8750345857d17d44181c1c7a7fa18e3
                                                                  • Instruction Fuzzy Hash: F0517036A096CB45FB158F15E85437A27B1BFA8B4AF500031E9CDE2AE1DF2CE656C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1C2D94, Relevance: 7.6, APIs: 5, Instructions: 73encryptionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Crypt$ContextErrorLast$AcquireAddressFreeHandleLibraryModuleProcRandomRelease
                                                                  • String ID:
                                                                  • API String ID: 619899887-0
                                                                  • Opcode ID: 2fcb7006f3280eb0d33a637195688cbd465053ef59357a2401d054efc221de03
                                                                  • Instruction ID: 5de53d0cdb9591a09926b0011aa486634a0255a328293fa167fc1d3415085de4
                                                                  • Opcode Fuzzy Hash: 2fcb7006f3280eb0d33a637195688cbd465053ef59357a2401d054efc221de03
                                                                  • Instruction Fuzzy Hash: 8C319032B0864287EB449F59E45437867B1EBA4F4AF544035EA8DE3A91CF7CE865C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1E1DF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Server$AddressFreeHandleLibraryListenModuleProcProtseqRegister
                                                                  • String ID: ncalrpc
                                                                  • API String ID: 2895008694-2983622238
                                                                  • Opcode ID: 9d22e9730d780177a8b2e7f5756941ee38ba4b310198798dbecc6ef2bff78403
                                                                  • Instruction ID: c8d6e7c37acdde76acba988fe7b59ecd5b3b4063e770b82880eb2e099696c7d8
                                                                  • Opcode Fuzzy Hash: 9d22e9730d780177a8b2e7f5756941ee38ba4b310198798dbecc6ef2bff78403
                                                                  • Instruction Fuzzy Hash: 6241AE61F09A8745FB558F10E1283B426B1AF60B5AF440431F9CDE7EE1DF6CE8A48380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1E3630, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ActivityBindingControlEventFreeProp
                                                                  • String ID: TaskbandHWND
                                                                  • API String ID: 950850001-3756081107
                                                                  • Opcode ID: 11447377fe646436b375493305e68ce07f0dc1f986b08a4257c8b325ff1cef4f
                                                                  • Instruction ID: cca64e3b43473cc865bf0d9990f02b446511bfe78801596e38748295aea8626f
                                                                  • Opcode Fuzzy Hash: 11447377fe646436b375493305e68ce07f0dc1f986b08a4257c8b325ff1cef4f
                                                                  • Instruction Fuzzy Hash: 2A213C32A19A8686EB54DF25D5A83783370FBA4B46F040031E58E97BA1CF7DE598C744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1F3920, Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 140libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F396A
                                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F3986
                                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F39AE
                                                                  • EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F39B7
                                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F39CD
                                                                  • EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F39D6
                                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F39EC
                                                                  • EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F39F5
                                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F3A13
                                                                  • EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F3A1C
                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F3A4E
                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F3A5D
                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F3ABF
                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F3AE3
                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00000314,00000000,00007FF6CE1EFDD6,?,?,?,?,?,00007FF6CE1EFC5C), ref: 00007FF6CE1F3B00
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                                                                  • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                  • API String ID: 3085332118-232180764
                                                                  • Opcode ID: 7813f0b7039723f983d07c2e12b7f03989b8ac7fe69f0d273dd9792204b91c0b
                                                                  • Instruction ID: 1781cb6b7f20f8fea66d4d97767915286502b20d2ba37844f8fe933ad798ef21
                                                                  • Opcode Fuzzy Hash: 7813f0b7039723f983d07c2e12b7f03989b8ac7fe69f0d273dd9792204b91c0b
                                                                  • Instruction Fuzzy Hash: BB514121A0ABC245FE659F52AA2567573B06F69F92F480434FC8EE3BD1EE3CA4518250
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1D00F8, Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 295registrylibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ErrorLastWindow$LibraryMessage$AddressFreeProcRegisterShellTrace$HandleHookInitializeLoadModuleTaskmanUninitialize
                                                                  • String ID: CPrivilegedPresentationOperations::Start failed$CRemoteAppImmersiveHost::Start failed$CoInitializeEx failed$DoFirstShellInitialization failed$Proxy Desktop$SHELLHOOK$shell32.dll
                                                                  • API String ID: 3743552931-2799058329
                                                                  • Opcode ID: 060a93e47208c2a41bd246f54ff5aa36492f00f477d4da8071489b5bf2f93b44
                                                                  • Instruction ID: f06d98c1a7216bab4effcc7793eabe6883b65d17fc54bb1d5fa123f857307c52
                                                                  • Opcode Fuzzy Hash: 060a93e47208c2a41bd246f54ff5aa36492f00f477d4da8071489b5bf2f93b44
                                                                  • Instruction Fuzzy Hash: 9BE18D35A097878AFB529F15E55437926B2BFA4B8AF500035E9CEE3AE1DF3CE5118340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1F5FC0, Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 353COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: _getptd$Unwind$BlockException$SpecThrow$BaseCatchCheckEntryFramesFunctionImageLookupNestedRangeTrysstd::bad_exception::bad_exception
                                                                  • String ID: bad exception$csm$csm$csm
                                                                  • API String ID: 859065832-820278400
                                                                  • Opcode ID: 961d3fc28a0532d9797317eb9371059e810f62cc5d4e6c383fb01ac14d3e0b66
                                                                  • Instruction ID: d1f69f1166ebad4dc5db31ba6540e646a5497760b8e2a87ba33f00c96a9a7be4
                                                                  • Opcode Fuzzy Hash: 961d3fc28a0532d9797317eb9371059e810f62cc5d4e6c383fb01ac14d3e0b66
                                                                  • Instruction Fuzzy Hash: 7FE18362A096428AEB24DF6595543BD37B0AB64F89F144035EE8DA7F86DE3CE425C3C0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1E2E50, Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 209registrywindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ErrorLast$AddressFreeHandleLibraryMessageModuleProcRegisterWindow
                                                                  • String ID: Failed g_RailOrderEncoder.Initialize$Rdptray$Shell_TrayWnd$TSCreateAppbarTrayFN failed$TSCreateShellNotifyTrayFN failed$TSCreateTaskbarTrayFn failed$TSCreateWindowCloakingTracker failed$TaskbarCreated
                                                                  • API String ID: 1726983798-2394308371
                                                                  • Opcode ID: a84639dbbd3651984713e914ea97685161e338f62c7ee4a694b04495291f3c96
                                                                  • Instruction ID: 13b3f4efc2e9dbae13dab5cc887f8e2cfe010615043380fd2205a5bd8ac16774
                                                                  • Opcode Fuzzy Hash: a84639dbbd3651984713e914ea97685161e338f62c7ee4a694b04495291f3c96
                                                                  • Instruction Fuzzy Hash: 4DA15B31A08B8786EB199F15E5583797AB1BB64B46F400039F9CEE3FE1DE2CE5558380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1E9DF0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 136threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ErrorLast$HandleModuleProcess$ActivityAddressCloseControlEventFileFreeLibraryMessageNameOpenProcThreadTraceWindow
                                                                  • String ID: GetWindowThreadProcessId failed
                                                                  • API String ID: 734822871-1931377531
                                                                  • Opcode ID: 3de359713bbd2919b924c2caff9e27cc0b8c541c95be915694e0228c73ef9e8e
                                                                  • Instruction ID: d257c4fd1f43ab2da11bf35d82776d6e2264c19f1a631831486ed517a47e10f0
                                                                  • Opcode Fuzzy Hash: 3de359713bbd2919b924c2caff9e27cc0b8c541c95be915694e0228c73ef9e8e
                                                                  • Instruction Fuzzy Hash: 6A617D31A08B8685FB149F21A5583B97AB1FBA4B46F440035FACDE3AE1DF7CE4558740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1CCE04, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: FreeProcess$AddressConditionCurrentErrorHandleInfoLastLibraryMaskMemoryMessageModuleProcSessionTraceVerifyVersion
                                                                  • String ID: IsRailAllowed failed$rdpinit.exe
                                                                  • API String ID: 1251398502-920810049
                                                                  • Opcode ID: 4d42d1bbbe3a9053ec1a58d6215e5816e23150e9b73f6d2fee0dc8e440d06bbc
                                                                  • Instruction ID: 7445bdc3eb44003212d63f64f787a0c96bf70dbe6fae2e04880f159a9d2368d1
                                                                  • Opcode Fuzzy Hash: 4d42d1bbbe3a9053ec1a58d6215e5816e23150e9b73f6d2fee0dc8e440d06bbc
                                                                  • Instruction Fuzzy Hash: 67518031B0969686FB10AF28E45037977B1BFA4B4AF500435F98EE29E0DF6CE452C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1DD00C, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 129registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ClassHandleModule$AddressErrorFreeInfoLastLibraryMessageProcRegisterTrace
                                                                  • String ID: %p-%s$Failed StringCchPrintf$Failed to get module specific class name$P$PAL_SYS_WIN32_TIMER_WNDCLASS
                                                                  • API String ID: 847019148-2540522816
                                                                  • Opcode ID: bd0abf8dd1adeacb7128e40f77a1ee8a0f3fda7712eee74064691ed5f1f42d46
                                                                  • Instruction ID: 4a34d4e04e229642c73d09268b82875b8446f4ef3b7b1a17af108ef44ba95f71
                                                                  • Opcode Fuzzy Hash: bd0abf8dd1adeacb7128e40f77a1ee8a0f3fda7712eee74064691ed5f1f42d46
                                                                  • Instruction Fuzzy Hash: 66519F35A18B8686E711DF24E8543A937B0FBA9B45F400236E9CDE3BA0DF3CE5158740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1DD91C, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryMessageModuleProcTrace
                                                                  • String ID: %p-%s$Failed StringCchPrintf$Failed to get module specific class name$PAL_SYS_WIN32_THREAD_WNDCLASS
                                                                  • API String ID: 2296332203-1852166344
                                                                  • Opcode ID: 49bda9ca7a3f6605374966fe2578edf1e42137cf0d454f3b75916ef1eb03644a
                                                                  • Instruction ID: a8ec5e631d28c639e34290508def72519c9a7cf39af52f95d202259f281834ac
                                                                  • Opcode Fuzzy Hash: 49bda9ca7a3f6605374966fe2578edf1e42137cf0d454f3b75916ef1eb03644a
                                                                  • Instruction Fuzzy Hash: 11519D35A18B8645EB119F11E5557B937B0FBA4B4AF400236E9CEE3AA1DE3CE5118340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1EFEA0, Relevance: 12.2, APIs: 8, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: _errnocalloc$CountCriticalFileInfoInitializeSectionSpinStartupType
                                                                  • String ID:
                                                                  • API String ID: 1140310343-0
                                                                  • Opcode ID: fb42bb65d18bd0072488fd083a99a05dd2b34d83d9a31d5526ae12d381bab424
                                                                  • Instruction ID: 99ed31fef0dc10d2fe30f2e73457481ae5b0d6567506c758c7b494720850e5ce
                                                                  • Opcode Fuzzy Hash: fb42bb65d18bd0072488fd083a99a05dd2b34d83d9a31d5526ae12d381bab424
                                                                  • Instruction Fuzzy Hash: A271E032A08B8686EB14CF14D44437877B1EB65B66F058631EAAE93BD0EF7DE455C380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1E0748, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Process$AddressFreeFullHandleImageLibraryMessageModuleNameProcQueryTrace
                                                                  • String ID: (unknown)$ReportRailShellExec: Couldn't obtain Pid$ReportRailShellExec: Invalid Process Handle$StringCchCopy failed
                                                                  • API String ID: 3719391974-4207853331
                                                                  • Opcode ID: b2240f8c9d88c211591df0b86880b3f4cc0e351e8aec2ceedd4a2006cf374b98
                                                                  • Instruction ID: 37b5005148a65353d66952e994d8f89c9d7dfbea92cac457ab290de506ff90ed
                                                                  • Opcode Fuzzy Hash: b2240f8c9d88c211591df0b86880b3f4cc0e351e8aec2ceedd4a2006cf374b98
                                                                  • Instruction Fuzzy Hash: CE719021A08B8649FB509F11E4183B52BB1BBA4B46F540036FACEF3AA1DF7CE551C780
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1E18E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Message$Event$DispatchTranslate
                                                                  • String ID: CTsWindow
                                                                  • API String ID: 249754900-812663214
                                                                  • Opcode ID: 29a743fba2c7bf457407bc974d14df0b44793e3c01fcba741013d066ddb08883
                                                                  • Instruction ID: 3c5571ec59aa2ed1b943a2305a22d5f7a94ffd42cda4bf101e1388611aad6969
                                                                  • Opcode Fuzzy Hash: 29a743fba2c7bf457407bc974d14df0b44793e3c01fcba741013d066ddb08883
                                                                  • Instruction Fuzzy Hash: EF512B36A09A4681FB249F21D56537437B0BFA8F56F440531F98EE7AA5DF3CE4648380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1CD01C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Free$AddressErrorHandleInformationLastLibraryMemoryMessageModuleProcQuerySessionTrace
                                                                  • String ID: StringCchCopyW failed in CheckForCdvSession$rdp-tcp
                                                                  • API String ID: 119749387-803065026
                                                                  • Opcode ID: 29da9e9a8da3216753b8463ee51c62d0be293a799803d8a532cf36391377aaa6
                                                                  • Instruction ID: 093dc07af047690a7d53d1d0827006562955134d40fe99e42b5f07133f6e36ba
                                                                  • Opcode Fuzzy Hash: 29da9e9a8da3216753b8463ee51c62d0be293a799803d8a532cf36391377aaa6
                                                                  • Instruction Fuzzy Hash: 6C418B32B1879286EB14AF14E85027877B0FBA4B95F440536EA8DE3AA0DF3CE555C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1EA748, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 96registrywindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Message$AddressErrorFreeHandleLastLibraryModuleProcRegisterTraceWindow
                                                                  • String ID: Given NULL tray window$Rdptraytaskband$TaskbarButtonCreated$W
                                                                  • API String ID: 2130652414-167352204
                                                                  • Opcode ID: d6e18082d930bfdd3a1f5b2d3846891488750c4fede232062e1340491272c0f0
                                                                  • Instruction ID: 9e66efa84faf517a5ddb861c3e1a81df26982c01e8acd77347befed60e5eadbe
                                                                  • Opcode Fuzzy Hash: d6e18082d930bfdd3a1f5b2d3846891488750c4fede232062e1340491272c0f0
                                                                  • Instruction Fuzzy Hash: DF418C31A08B8689E7549F11E5187697BB0FBA4B86F500035F98DE3AA1DF3CE5968780
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1E2860, Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ErrorFreeLastLocal$AddressAllocHandleInformationInitializeLengthLibraryMessageModuleProcRequiredTokenTrace
                                                                  • String ID:
                                                                  • API String ID: 3071448076-0
                                                                  • Opcode ID: a5a2476667f9c90e458ba643833ba4d266e20d37d81e7791a4a30d3844414213
                                                                  • Instruction ID: 0fd1328cc9714dcf74655ba5e5a8be5cc96c9bc15def4b89732c5e73c818e6fc
                                                                  • Opcode Fuzzy Hash: a5a2476667f9c90e458ba643833ba4d266e20d37d81e7791a4a30d3844414213
                                                                  • Instruction Fuzzy Hash: C8418E31A19B8686FB009F11A56467977B0FBA8B86F441435FACEE3B94DE3CE451C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1CE5F8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ConditionMask$InfoOpenQueryValueVerifyVersion
                                                                  • String ID: SYSTEM\CurrentControlSet\Control\Terminal Server$fEnableUwpApps
                                                                  • API String ID: 4157361129-1436282892
                                                                  • Opcode ID: 302e1741176c79092fd9d2bf4985d784c36a8a7fd92db3e1dca699829988bfdf
                                                                  • Instruction ID: fd37a7adb146823170f4e8e5e7e272efb39589c3417c7f147c583f978a9d41b5
                                                                  • Opcode Fuzzy Hash: 302e1741176c79092fd9d2bf4985d784c36a8a7fd92db3e1dca699829988bfdf
                                                                  • Instruction Fuzzy Hash: 19216D36A186828AEB10DF35D4513E9B3B0FB58B45F444535E68DDBAA8EE3CE508CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1F4550, Relevance: 9.3, APIs: 6, Instructions: 259COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ByteCharMultiStringWide
                                                                  • String ID:
                                                                  • API String ID: 2829165498-0
                                                                  • Opcode ID: 8a023111e7b880c4ad1de727f5ada7d948a2e5b15c4a60d889b7ed50834087bc
                                                                  • Instruction ID: 5114ded64959c4aa34ec2a2e9affa3094c595b49958b4f714fee117a459f4407
                                                                  • Opcode Fuzzy Hash: 8a023111e7b880c4ad1de727f5ada7d948a2e5b15c4a60d889b7ed50834087bc
                                                                  • Instruction Fuzzy Hash: 24B1A272A097C18AE7608F2294003B976F1FB68BAAF040635EA9DA7FD4DF3CD5518744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1EF820, Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: DecodePointer$_lock
                                                                  • String ID:
                                                                  • API String ID: 1397512379-0
                                                                  • Opcode ID: dc41186e67f2ef0cec4284aec90a2dff3ca5d0abc1c21832f58636bc46afc5a7
                                                                  • Instruction ID: ef9ff26ef9bd724a076ae97262ef63823cd11be11962af3369dee23bfa76e949
                                                                  • Opcode Fuzzy Hash: dc41186e67f2ef0cec4284aec90a2dff3ca5d0abc1c21832f58636bc46afc5a7
                                                                  • Instruction Fuzzy Hash: 55417F31A19A8281F6509F11A956678B2B0BFACB82F440435FECDB7F95DE3CE5618780
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1F2628, Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FF6CE1F2950: _FF_MSGBANNER.LIBCMT ref: 00007FF6CE1F2980
                                                                    • Part of subcall function 00007FF6CE1F2950: HeapAlloc.KERNEL32(?,?,?,00007FF6CE1F3240,?,?,?,00007FF6CE1F3133,?,?,?,00007FF6CE1EEF09,?,?,?,00007FF6CE1EF005), ref: 00007FF6CE1F29A5
                                                                    • Part of subcall function 00007FF6CE1F2950: _errno.LIBCMT ref: 00007FF6CE1F29C9
                                                                    • Part of subcall function 00007FF6CE1F2950: _errno.LIBCMT ref: 00007FF6CE1F29D4
                                                                  • _errno.LIBCMT ref: 00007FF6CE1F26C6
                                                                  • GetLastError.KERNEL32(?,?,00000000,00007FF6CE1EEF9B,?,?,?,00007FF6CE1EF005), ref: 00007FF6CE1F26CE
                                                                  • _errno.LIBCMT ref: 00007FF6CE1F26DF
                                                                  • GetLastError.KERNEL32(?,?,00000000,00007FF6CE1EEF9B,?,?,?,00007FF6CE1EF005), ref: 00007FF6CE1F26E7
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: _errno$ErrorLast$AllocHeap
                                                                  • String ID:
                                                                  • API String ID: 2462527047-0
                                                                  • Opcode ID: 37ffcce3890173f1abb3486f3ea39afa0d61b54e2820e849864b18b886151b7c
                                                                  • Instruction ID: 9758a157a27f454fc1ef9460eca4a230fac605df3e0f45c9e4e1bd677bc36a60
                                                                  • Opcode Fuzzy Hash: 37ffcce3890173f1abb3486f3ea39afa0d61b54e2820e849864b18b886151b7c
                                                                  • Instruction Fuzzy Hash: 4A217120E0874345FE54AF61551527961B15FA8FB2F084631FCADE7FD5ED2CE462C680
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1F060C, Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 4104442557-0
                                                                  • Opcode ID: 7d573dbae4fb6ce7ab091d692e618947dd6fa944dc994ad4dca5db7f0babfa2f
                                                                  • Instruction ID: 9e91774cf114dddd1e47221bc8333f521e23f2a4513a6857700ab907d451887c
                                                                  • Opcode Fuzzy Hash: 7d573dbae4fb6ce7ab091d692e618947dd6fa944dc994ad4dca5db7f0babfa2f
                                                                  • Instruction Fuzzy Hash: 4A111D36A05F818AEB50DF70EC551A833B4FB59759B400A35FAAE83B94EF7CD5A48340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1F2748, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                  • String ID: $csm
                                                                  • API String ID: 2395640692-717980254
                                                                  • Opcode ID: 7961f8a2ad38445c92e65ccacc987ca3c1013779773f7fe5a0fbba517f8b54a0
                                                                  • Instruction ID: 51f03dbb0fccb6dfaf35fe9e1a452352c2110bc5233ad8214b208aa3c102d3f9
                                                                  • Opcode Fuzzy Hash: 7961f8a2ad38445c92e65ccacc987ca3c1013779773f7fe5a0fbba517f8b54a0
                                                                  • Instruction Fuzzy Hash: A051B531A0964186E714DF11E504A7937A5FB24F99F108530FE8EA7B88DF7CE892C780
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1DCDA4, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: AddressCreateFreeHandleLibraryMessageModuleProcTraceWindow
                                                                  • String ID: %p-%s$Failed StringCchPrintf$Failed to get module specific class name$PAL_SYS_WIN32_TIMER_WNDCLASS
                                                                  • API String ID: 1541505989-1526586533
                                                                  • Opcode ID: 35fc177df41b71f6158eb20f8f861c5fbf20b388c0d2ad8af403afc1caf178ec
                                                                  • Instruction ID: 04c72ee52a52372b007c1214e6a5b6232453290d4479197bf4a1953b86c34d13
                                                                  • Opcode Fuzzy Hash: 35fc177df41b71f6158eb20f8f861c5fbf20b388c0d2ad8af403afc1caf178ec
                                                                  • Instruction Fuzzy Hash: 45618B35A0878685EB219F11E1543A93BB1FBA4B85F400536FACDE3BA5DF3CE6208740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1F1600, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CaptureContextDebugEntryFunctionLookupOutputStringUnwindVirtual
                                                                  • String ID: Invalid parameter passed to C runtime function.
                                                                  • API String ID: 711593133-455672764
                                                                  • Opcode ID: 20d4d24ec6f6ca6c880564b5b9ccfd15e2c865e7d687474481faa615663f2a2b
                                                                  • Instruction ID: 20a51dbd79b8f6b9f7e50a3e53eee1c89a586a68f8441f472c06df1b6abe7c16
                                                                  • Opcode Fuzzy Hash: 20d4d24ec6f6ca6c880564b5b9ccfd15e2c865e7d687474481faa615663f2a2b
                                                                  • Instruction Fuzzy Hash: 5911EC36618FC182EA608F11F4A47AAB370FB98796F541535EACE92B95EF3CD154CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1CE570, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: Advapi32.dll$EventActivityIdControl
                                                                  • API String ID: 4061214504-2884944642
                                                                  • Opcode ID: f49e1d7b32005a756125095945582c0349aa089aadfb2feaf53eeaead8a7fba5
                                                                  • Instruction ID: 42927ae390cda5d350a964cb2841a4c57ebfff7acfbf4b4698200079117691ac
                                                                  • Opcode Fuzzy Hash: f49e1d7b32005a756125095945582c0349aa089aadfb2feaf53eeaead8a7fba5
                                                                  • Instruction Fuzzy Hash: D5017175608B8186EB60DF10E86126AB3B0FB98B95F441535F5CED3B68EE3CD140CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1E1630, Relevance: 7.5, APIs: 5, Instructions: 24threadsynchronizationwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CloseHandleThread$MessageObjectPostSingleWait
                                                                  • String ID:
                                                                  • API String ID: 4096524320-0
                                                                  • Opcode ID: 53d9a5795f8f007dfca8a4149e61f255f56b8c6baa42eefcb31393463ba48dc8
                                                                  • Instruction ID: 89045e2839284e649fd36c75618326ff2531b4bc59d87d808584493b40c1d6bd
                                                                  • Opcode Fuzzy Hash: 53d9a5795f8f007dfca8a4149e61f255f56b8c6baa42eefcb31393463ba48dc8
                                                                  • Instruction Fuzzy Hash: 26F01D35B5998682FB58DF61EA7677432B0BFACB13F540530E49EE69E0CF6C645A8300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1D6E60, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Event
                                                                  • String ID: Fail to add thread to thread descriptor$Failed to init in thread context$thread descriptor creation failed in bind path
                                                                  • API String ID: 4201588131-1929829824
                                                                  • Opcode ID: c1b8ebae75670d84c308cb605973c5ade0ab485b27d519c5036006b539196f03
                                                                  • Instruction ID: f8c791771163b45e52882f8f01cfc24454fea80c4e4925641cacf77601f60142
                                                                  • Opcode Fuzzy Hash: c1b8ebae75670d84c308cb605973c5ade0ab485b27d519c5036006b539196f03
                                                                  • Instruction Fuzzy Hash: 8EB17D3AA09B8A85EB519F25D85467827B0FFA4F86F450131ED8DE7BA1CF3CE5508300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1C28D0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • Failed to retrieve the activity ID. Event logging will not be per-session, xrefs: 00007FF6CE1C2A7A
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: FreePropertyStation$AddressConnectionErrorHandleLastLibraryMessageModuleProcTraceValue
                                                                  • String ID: Failed to retrieve the activity ID. Event logging will not be per-session
                                                                  • API String ID: 1039440006-2480504145
                                                                  • Opcode ID: 9b476158eeb6d432ba9d93a42f97b684458be4e2086b1c19e1f8d1193753b64d
                                                                  • Instruction ID: cb6c7bb50873c4402f442b665c90311fc06485761d45d58e19b4aca9d7d18ace
                                                                  • Opcode Fuzzy Hash: 9b476158eeb6d432ba9d93a42f97b684458be4e2086b1c19e1f8d1193753b64d
                                                                  • Instruction Fuzzy Hash: 0C517D31A08A8686FB64AF04E55033427B1BB64B46F541136E9CDE3AE1DE3CE492C340
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1CD54C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FF6CE1DF158: GetCurrentProcess.KERNEL32(?,?,?,?,?,00007FF6CE1CD5BA), ref: 00007FF6CE1DF16B
                                                                    • Part of subcall function 00007FF6CE1DF158: QueryFullProcessImageNameW.KERNEL32(?,?,?,?,?,00007FF6CE1CD5BA), ref: 00007FF6CE1DF17E
                                                                    • Part of subcall function 00007FF6CE1DF158: GetLastError.KERNEL32(?,?,?,?,?,00007FF6CE1CD5BA), ref: 00007FF6CE1DF188
                                                                    • Part of subcall function 00007FF6CE1DF158: GetLastError.KERNEL32(?,?,?,?,?,00007FF6CE1CD5BA), ref: 00007FF6CE1DF192
                                                                    • Part of subcall function 00007FF6CE1CE570: GetModuleHandleExA.KERNEL32 ref: 00007FF6CE1CE5A4
                                                                    • Part of subcall function 00007FF6CE1CE570: GetProcAddress.KERNEL32 ref: 00007FF6CE1CE5BA
                                                                    • Part of subcall function 00007FF6CE1CE570: FreeLibrary.KERNEL32 ref: 00007FF6CE1CE5DA
                                                                  • CompareStringW.KERNEL32 ref: 00007FF6CE1CD6DF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ErrorLastProcess$AddressCompareCurrentFreeFullHandleImageLibraryModuleNameProcQueryString
                                                                  • String ID: Failed in StringCchCat$GetCurrentExePathName$rdpinitCDV.exe
                                                                  • API String ID: 2133330998-4065295061
                                                                  • Opcode ID: 337283e8b9be70e95eb4de7b62c9432d2b4505a446b3214f1fb8ef518ab47edf
                                                                  • Instruction ID: 834e7c7eafd8703f4858e7e33a277fae77a4080d78b32c5775e6e104a7ee5232
                                                                  • Opcode Fuzzy Hash: 337283e8b9be70e95eb4de7b62c9432d2b4505a446b3214f1fb8ef518ab47edf
                                                                  • Instruction Fuzzy Hash: 68416C32B18A9682EB209F21E4943AA67B1FBE4749F800136E6CDD3ED5DE3CE514C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1DDD98, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsAlloc.KERNEL32(?,?,?,?,?,00007FF6CE1C11DC), ref: 00007FF6CE1DDDC1
                                                                  • TlsAlloc.KERNEL32(?,?,?,?,?,00007FF6CE1C11DC), ref: 00007FF6CE1DDDCD
                                                                    • Part of subcall function 00007FF6CE1CE570: GetModuleHandleExA.KERNEL32 ref: 00007FF6CE1CE5A4
                                                                    • Part of subcall function 00007FF6CE1CE570: GetProcAddress.KERNEL32 ref: 00007FF6CE1CE5BA
                                                                    • Part of subcall function 00007FF6CE1CE570: FreeLibrary.KERNEL32 ref: 00007FF6CE1CE5DA
                                                                    • Part of subcall function 00007FF6CE1C10D0: TraceMessage.ADVAPI32 ref: 00007FF6CE1C114F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Alloc$AddressFreeHandleLibraryMessageModuleProcTrace
                                                                  • String ID: Failed to initialize timer globals$Failed to initialize timer list lock
                                                                  • API String ID: 1917141336-1902170985
                                                                  • Opcode ID: 1b4c0c550c5e4e97af2567cf1a441b213ebaef966712ad11a2fc14ffdbc52119
                                                                  • Instruction ID: 770a0f5cda3920ddc1800e259b1b13734d5a529280073064673b5c6ae8d3c884
                                                                  • Opcode Fuzzy Hash: 1b4c0c550c5e4e97af2567cf1a441b213ebaef966712ad11a2fc14ffdbc52119
                                                                  • Instruction Fuzzy Hash: 75414535E19A8786FB519F14E9503783AB0BB74B4AF500135E98DE3AE1DF3CE6658300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1EA8F0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Window$DestroyLongProp
                                                                  • String ID: TaskbandHWND
                                                                  • API String ID: 3554528882-3756081107
                                                                  • Opcode ID: d6aef372da64ca4d3a3576b9a19dd725ed7bc40d6041c2c51262636e30094e33
                                                                  • Instruction ID: e86a6b354b0cdee82514a7c0f4becd511cfbd702a16041af52381af5c6a51641
                                                                  • Opcode Fuzzy Hash: d6aef372da64ca4d3a3576b9a19dd725ed7bc40d6041c2c51262636e30094e33
                                                                  • Instruction Fuzzy Hash: B101D432614A4482FB948F25E69973933B0FB58F89F101130EA4D97A94CF3CD494C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1EF82C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 1646373207-1276376045
                                                                  • Opcode ID: 7c52cdd3fac70b77ad3af566de79ab943b1841f4e8b8f2db3f36c7e9301b15fc
                                                                  • Instruction ID: 0160fe6375a8ab84e52bea446b2cdfa0392384faf2c6b9311567d28e16b83dc5
                                                                  • Opcode Fuzzy Hash: 7c52cdd3fac70b77ad3af566de79ab943b1841f4e8b8f2db3f36c7e9301b15fc
                                                                  • Instruction Fuzzy Hash: E7F08C31A29A8181FB448F60E499779B230AF68742F401835F58FD29E4CE3CD098C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1D05E0, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 235COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FF6CE1CF97C: GetCurrentThreadId.KERNEL32 ref: 00007FF6CE1CF985
                                                                  • CoUninitialize.OLE32 ref: 00007FF6CE1D0990
                                                                    • Part of subcall function 00007FF6CE1CE570: GetModuleHandleExA.KERNEL32 ref: 00007FF6CE1CE5A4
                                                                    • Part of subcall function 00007FF6CE1CE570: GetProcAddress.KERNEL32 ref: 00007FF6CE1CE5BA
                                                                    • Part of subcall function 00007FF6CE1CE570: FreeLibrary.KERNEL32 ref: 00007FF6CE1CE5DA
                                                                    • Part of subcall function 00007FF6CE1C10D0: TraceMessage.ADVAPI32 ref: 00007FF6CE1C114F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: AddressCurrentFreeHandleLibraryMessageModuleProcThreadTraceUninitialize
                                                                  • String ID: CPrivilegedPresentationOperations::Stop failed$CRemoteAppImmersiveHost::Stop failed$Terminate failed
                                                                  • API String ID: 3277334465-3639947162
                                                                  • Opcode ID: a3cbf6a62979d89772828e25d171513bb768c2f366ddce23b944db07361fbfef
                                                                  • Instruction ID: eac0fc27cd7c7aee179186f65951acc0d734c47780820c2c8ac861b6b0f139c9
                                                                  • Opcode Fuzzy Hash: a3cbf6a62979d89772828e25d171513bb768c2f366ddce23b944db07361fbfef
                                                                  • Instruction Fuzzy Hash: 99C18C35A0968689FB15DF15E56037837B2FBA4F8AF100035E98EE7BA1DE3CE5518740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1EB10C, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: Free$AddressHandleLibraryLocalMessageModuleProcTrace
                                                                  • String ID: TSCreateRailIcon failed$g_RailOrderEncoder.EncodeRailOrder TS_WINDOW_ICON_ESCCODE failed$rdpIcon.FillEscape failed
                                                                  • API String ID: 386589728-2095034621
                                                                  • Opcode ID: 5f0eca069e4df823038b8c8a0c2fe444aa95c406a7a2d0695f1b93c7c958d269
                                                                  • Instruction ID: f991a6fc88ce8bef1aca5e710b4ec3cbe94f453c02763eaaf1f0e9a59bcfa4f4
                                                                  • Opcode Fuzzy Hash: 5f0eca069e4df823038b8c8a0c2fe444aa95c406a7a2d0695f1b93c7c958d269
                                                                  • Instruction Fuzzy Hash: 02519F31A08A8685EB548F65D4487692BB1FF68F89F044431FA8DE3BD5CF3CE9548780
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1EE590, Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                  • String ID:
                                                                  • API String ID: 140117192-0
                                                                  • Opcode ID: 393d0336adeb3739c998a30367f2a72bb22fa260997c0a6b160f2cac2893b071
                                                                  • Instruction ID: 6cde7ef4733febe61b2e6f3e8b164b3027f6a0867911df5057fe342626b7decf
                                                                  • Opcode Fuzzy Hash: 393d0336adeb3739c998a30367f2a72bb22fa260997c0a6b160f2cac2893b071
                                                                  • Instruction Fuzzy Hash: 2441E735A09B8681EA548F08F9A4365B3B4FBA8745F900536F9CDA3BA4DF3CE494C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1F7754, Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: __doserrno_errno
                                                                  • String ID:
                                                                  • API String ID: 921712934-0
                                                                  • Opcode ID: 11f325c7aaaa304e89e4cd32a4219cb03f93683649957343e0007d922c74d7fe
                                                                  • Instruction ID: 6f2191fafab3f84f2d856dcdbffec4a97ddd5dd98cba67e69db3916314a0ff20
                                                                  • Opcode Fuzzy Hash: 11f325c7aaaa304e89e4cd32a4219cb03f93683649957343e0007d922c74d7fe
                                                                  • Instruction Fuzzy Hash: 0C01D662E38B0645FB145EA4845A77C22719FB4F33F544336F9ADA7ED2CE6C64208590
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1EF62C, Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,00007FF6CE1EF0C9,?,?,?,?,00007FF6CE1F29EE,?,?,?,00007FF6CE1F3240), ref: 00007FF6CE1EF636
                                                                  • FlsGetValue.KERNEL32(?,?,?,00007FF6CE1EF0C9,?,?,?,?,00007FF6CE1F29EE,?,?,?,00007FF6CE1F3240), ref: 00007FF6CE1EF644
                                                                  • SetLastError.KERNEL32(?,?,?,00007FF6CE1EF0C9,?,?,?,?,00007FF6CE1F29EE,?,?,?,00007FF6CE1F3240), ref: 00007FF6CE1EF694
                                                                    • Part of subcall function 00007FF6CE1F3368: Sleep.KERNEL32(?,?,?,00007FF6CE1EF65F,?,?,?,00007FF6CE1EF0C9,?,?,?,?,00007FF6CE1F29EE), ref: 00007FF6CE1F33AD
                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6CE1EF0C9,?,?,?,?,00007FF6CE1F29EE,?,?,?,00007FF6CE1F3240), ref: 00007FF6CE1EF670
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: ErrorLastValue_lock$Sleep
                                                                  • String ID:
                                                                  • API String ID: 2491799867-0
                                                                  • Opcode ID: 8a98f51a4652daeb479f01c23ab35b3935ab050bb53bb091b672842be03f5893
                                                                  • Instruction ID: f3baabc232621190e305b9d40a8104007282680073b63328e02b9bf476948785
                                                                  • Opcode Fuzzy Hash: 8a98f51a4652daeb479f01c23ab35b3935ab050bb53bb091b672842be03f5893
                                                                  • Instruction Fuzzy Hash: 72018420A09B4243FA449F219569578A3B1AF6CB62F0C4634F9AD977D1EE3CE4558200
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1EB914, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DwmGetWindowAttribute.DWMAPI ref: 00007FF6CE1EB9E8
                                                                    • Part of subcall function 00007FF6CE1CE570: GetModuleHandleExA.KERNEL32 ref: 00007FF6CE1CE5A4
                                                                    • Part of subcall function 00007FF6CE1CE570: GetProcAddress.KERNEL32 ref: 00007FF6CE1CE5BA
                                                                    • Part of subcall function 00007FF6CE1CE570: FreeLibrary.KERNEL32 ref: 00007FF6CE1CE5DA
                                                                    • Part of subcall function 00007FF6CE1CE6FC: TraceMessage.ADVAPI32 ref: 00007FF6CE1CE765
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: AddressAttributeFreeHandleLibraryMessageModuleProcTraceWindow
                                                                  • String ID: DwmGetWindowAttribute (DWMWA_CLOAKED) failed$pCloaked
                                                                  • API String ID: 1856555321-1498491503
                                                                  • Opcode ID: cf21218db59016c307801eb016218514dd12ff6a39adbaec814dc40d2d902c55
                                                                  • Instruction ID: aaf6dbb82f8348395cde4dda94ace580e84833002737b07ffbe1eb2ed62a1ea6
                                                                  • Opcode Fuzzy Hash: cf21218db59016c307801eb016218514dd12ff6a39adbaec814dc40d2d902c55
                                                                  • Instruction Fuzzy Hash: 1741C371A09A8686EB248F14E05876937B0FBA4B49F500035F6CDE3EE0DF3CE5518780
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1D1D80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: BlanketCreateInstanceProxy
                                                                  • String ID: @
                                                                  • API String ID: 1899829610-2766056989
                                                                  • Opcode ID: 504acdf759597c0b52afc52cf5c2ffb04214580116bbf1e2b0862ac2f091c4a4
                                                                  • Instruction ID: f3604f9f9771a72c2303fd5dd78fed156fdee2f0d37c1e53634c5311d868872c
                                                                  • Opcode Fuzzy Hash: 504acdf759597c0b52afc52cf5c2ffb04214580116bbf1e2b0862ac2f091c4a4
                                                                  • Instruction Fuzzy Hash: AE417936710B568AEB418F25D8947A977B1FB98B99F004631FA8E97BA8DF3CC144C700
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1C2644, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: MessageTrace
                                                                  • String ID: NULL$RemoteAppInit
                                                                  • API String ID: 471583391-2832833466
                                                                  • Opcode ID: 2d2ed586b7e1a3ccfb07cc9fb1383f602f1165132c8fb07de6ba683798d6bde7
                                                                  • Instruction ID: 1c75de0525908875edd0a90f117214171f1ecad886aa81f8984eea96582c5e3f
                                                                  • Opcode Fuzzy Hash: 2d2ed586b7e1a3ccfb07cc9fb1383f602f1165132c8fb07de6ba683798d6bde7
                                                                  • Instruction Fuzzy Hash: B411A072608B8482D7248F04F4507AAB3B5FB55BA1F600235EADD43B98DF7DC160CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6CE1C25A0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.814497053.00007FF6CE1C1000.00000020.00020000.sdmp, Offset: 00007FF6CE1C0000, based on PE: true
                                                                  • Associated: 00000014.00000002.814479521.00007FF6CE1C0000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814539424.00007FF6CE1FE000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814556368.00007FF6CE20D000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814569998.00007FF6CE20E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814592695.00007FF6CE211000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000014.00000002.814603658.00007FF6CE214000.00000002.00020000.sdmp Download File
                                                                  Similarity
                                                                  • API ID: MessageTrace
                                                                  • String ID: NULL$RemoteAppInit
                                                                  • API String ID: 471583391-2832833466
                                                                  • Opcode ID: cd86ea13bbe307ec0c47b48a4688e05c010d13370e9109335d50472575d480c2
                                                                  • Instruction ID: 3e3def884f5292c4025419392b172ab48160e58c9082c0b4df80090ac9be8d26
                                                                  • Opcode Fuzzy Hash: cd86ea13bbe307ec0c47b48a4688e05c010d13370e9109335d50472575d480c2
                                                                  • Instruction Fuzzy Hash: E9015BB1608F8482DA248B00E460396B2B1FB55761F904335E6DD42BD8EF3DC064CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%