Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report E0QkjJowwG

Overview

General Information

Sample Name:E0QkjJowwG (renamed file extension from none to exe)
Analysis ID:492550
MD5:a1b69800aeb7ecbc49ebb13ce4a88737
SHA1:96e25aed75903a5a84be3175c6e834a44833bc5d
SHA256:09bc9c08f80f93317cd8769f85d8921787c677033a5b12a6c310fb92d83f6e41
Tags:exenjrat
Infos:

Most interesting Screenshot:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Tries to evade analysis by execution special instruction which cause usermode exception
Connects to many ports of the same IP (likely port scanning)
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
.NET source code contains potential unpacker
PE file has nameless sections
Machine Learning detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the user root directory
Modifies the windows firewall
Contains functionality to spread to USB devices (.Net source)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Drops PE files to the user directory
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • E0QkjJowwG.exe (PID: 2700 cmdline: 'C:\Users\user\Desktop\E0QkjJowwG.exe' MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
    • Yandex.exe (PID: 3100 cmdline: 'C:\Users\user\Yandex.exe' MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
      • netsh.exe (PID: 4492 cmdline: netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Yandex.exe (PID: 4420 cmdline: 'C:\Users\user\Yandex.exe' .. MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
  • Yandex.exe (PID: 4796 cmdline: 'C:\Users\user\Yandex.exe' .. MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
  • Yandex.exe (PID: 4764 cmdline: 'C:\Users\user\Yandex.exe' .. MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
E0QkjJowwG.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x45713:$s1: http://
  • 0x4577d:$s1: http://
  • 0x45b33:$s1: http://
  • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
  • 0x45713:$f1: http://
  • 0x4577d:$f1: http://
  • 0x45b33:$f1: http://

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x45713:$s1: http://
  • 0x4577d:$s1: http://
  • 0x45b33:$s1: http://
  • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
  • 0x45713:$f1: http://
  • 0x4577d:$f1: http://
  • 0x45b33:$f1: http://
C:\Users\user\Yandex.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x45713:$s1: http://
  • 0x4577d:$s1: http://
  • 0x45b33:$s1: http://
  • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
  • 0x45713:$f1: http://
  • 0x4577d:$f1: http://
  • 0x45b33:$f1: http://

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x6dab:$a1: netsh firewall add allowedprogram
    • 0x6d7b:$a2: SEE_MASK_NOZONECHECKS
    • 0x6f9b:$b1: [TAP]
    • 0x6e97:$c3: cmd.exe /c ping
    00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x6d7b:$reg: SEE_MASK_NOZONECHECKS
    • 0x6a6a:$msg: Execute ERROR
    • 0x6ac2:$msg: Execute ERROR
    • 0x6e97:$ping: cmd.exe /c ping 0 -n 2 & del
    00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x6dab:$a1: netsh firewall add allowedprogram
      • 0x6d7b:$a2: SEE_MASK_NOZONECHECKS
      • 0x6f9b:$b1: [TAP]
      • 0x6e97:$c3: cmd.exe /c ping
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.Yandex.exe.70000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      5.0.Yandex.exe.70000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      0.0.E0QkjJowwG.exe.f20000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      6.0.Yandex.exe.70000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      7.0.Yandex.exe.70000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      Click to see the 15 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Netsh Port or Application AllowedShow sources
      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\Yandex.exe' , ParentImage: C:\Users\user\Yandex.exe, ParentProcessId: 3100, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE, ProcessId: 4492

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: E0QkjJowwG.exeVirustotal: Detection: 42%Perma Link
      Source: E0QkjJowwG.exeMetadefender: Detection: 34%Perma Link
      Source: E0QkjJowwG.exeReversingLabs: Detection: 60%
      Yara detected NjratShow sources
      Source: Yara matchFile source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: E0QkjJowwG.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeAvira: detection malicious, Label: HEUR/AGEN.1142875
      Source: C:\Users\user\Yandex.exeAvira: detection malicious, Label: HEUR/AGEN.1142875
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeMetadefender: Detection: 34%Perma Link
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeReversingLabs: Detection: 60%
      Source: C:\Users\user\Yandex.exeMetadefender: Detection: 34%Perma Link
      Source: C:\Users\user\Yandex.exeReversingLabs: Detection: 60%
      Machine Learning detection for sampleShow sources
      Source: E0QkjJowwG.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Yandex.exeJoe Sandbox ML: detected
      Source: 5.2.Yandex.exe.a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 6.2.Yandex.exe.70000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 1.2.Yandex.exe.70000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 7.2.Yandex.exe.70000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 5.2.Yandex.exe.70000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 0.2.E0QkjJowwG.exe.f50000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 1.2.Yandex.exe.a0000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 6.2.Yandex.exe.a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 7.2.Yandex.exe.a0000.1.unpackAvira: Label: TR/Patched.Ren.Gen2

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeUnpacked PE file: 0.2.E0QkjJowwG.exe.f20000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 1.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 5.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 6.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 7.2.Yandex.exe.70000.0.unpack
      Source: E0QkjJowwG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

      Spreading:

      barindex
      Contains functionality to spread to USB devices (.Net source)Show sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, OK.cs.Net Code: USBspr
      Source: 1.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: USBspr
      Source: 5.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: USBspr
      Source: 6.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: USBspr
      Source: 7.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: USBspr
      Source: E0QkjJowwG.exeBinary or memory string: [autorun] open=
      Source: E0QkjJowwG.exeBinary or memory string: autorun.inf
      Source: E0QkjJowwG.exe, 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: E0QkjJowwG.exe, 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exeBinary or memory string: autorun.inf
      Source: Yandex.exeBinary or memory string: [autorun] open=
      Source: Yandex.exe, 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmpBinary or memory string: [autorun]
      Source: Yandex.exe, 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exeBinary or memory string: autorun.inf
      Source: Yandex.exeBinary or memory string: [autorun] open=
      Source: Yandex.exe, 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exeBinary or memory string: autorun.inf
      Source: Yandex.exeBinary or memory string: [autorun] open=
      Source: Yandex.exe, 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]

      Networking:

      barindex
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 3.142.167.4 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 13.58.157.220 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 3.142.167.54 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 3.142.129.56 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 3.142.81.166 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 3.19.130.43 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 192.168.2.3:49690 -> 3.19.130.43:12549
      Source: global trafficTCP traffic: 192.168.2.3:49693 -> 3.142.129.56:12549
      Source: global trafficTCP traffic: 192.168.2.3:49695 -> 3.142.81.166:12549
      Source: global trafficTCP traffic: 192.168.2.3:49696 -> 3.142.167.4:12549
      Source: global trafficTCP traffic: 192.168.2.3:49706 -> 13.58.157.220:12549
      Source: global trafficTCP traffic: 192.168.2.3:49715 -> 3.142.167.54:12549
      Source: E0QkjJowwG.exeString found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
      Source: E0QkjJowwG.exeString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
      Source: E0QkjJowwG.exeString found in binary or memory: http://pki-ocsp.symauth.com0
      Source: Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpString found in binary or memory: http://www.enigmaprotector.com/
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
      Source: unknownDNS traffic detected: queries for: 8.tcp.ngrok.io

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Contains functionality to log keystrokes (.Net Source)Show sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: 1.2.Yandex.exe.70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: 5.2.Yandex.exe.70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: 6.2.Yandex.exe.70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: 7.2.Yandex.exe.70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: E0QkjJowwG.exe, 00000000.00000002.306621221.00000000013EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected NjratShow sources
      Source: Yara matchFile source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      PE file has nameless sectionsShow sources
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: E0QkjJowwG.exe, type: SAMPLEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 1.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 5.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 0.0.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 6.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 7.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: C:\Users\user\Yandex.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeCode function: 0_2_010AE4110_2_010AE411
      Source: C:\Users\user\Yandex.exeCode function: 1_2_000E00CF1_2_000E00CF
      Source: C:\Users\user\Yandex.exeCode function: 5_2_000E00CF5_2_000E00CF
      Source: C:\Users\user\Yandex.exeCode function: 6_2_000E00CF6_2_000E00CF
      Source: E0QkjJowwG.exeVirustotal: Detection: 42%
      Source: E0QkjJowwG.exeMetadefender: Detection: 34%
      Source: E0QkjJowwG.exeReversingLabs: Detection: 60%
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile read: C:\Users\user\Desktop\E0QkjJowwG.exeJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\E0QkjJowwG.exe 'C:\Users\user\Desktop\E0QkjJowwG.exe'
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe'
      Source: C:\Users\user\Yandex.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' ..
      Source: unknownProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' ..
      Source: unknownProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' ..
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' Jump to behavior
      Source: C:\Users\user\Yandex.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLEJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile created: C:\Users\user\Yandex.exeJump to behavior
      Source: classification engineClassification label: mal100.spre.troj.adwa.spyw.evad.winEXE@9/3@32/6
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_01
      Source: C:\Users\user\Yandex.exeMutant created: \Sessions\1\BaseNamedObjects\33a62d2d2e6f6fc30153b1b0408eca36SGFjS2Vk
      Source: C:\Users\user\Yandex.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Yandex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Yandex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Yandex.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: E0QkjJowwG.exeStatic file information: File size 1246208 > 1048576

      Data Obfuscation:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeUnpacked PE file: 0.2.E0QkjJowwG.exe.f20000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 1.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 5.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 6.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 7.2.Yandex.exe.70000.0.unpack
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeUnpacked PE file: 0.2.E0QkjJowwG.exe.f20000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 1.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 5.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 6.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 7.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      .NET source code contains potential unpackerShow sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 5.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeCode function: 0_2_00F26DC3 push cs; retf 0_2_00F26DC4
      Source: C:\Users\user\Yandex.exeCode function: 1_2_00076DC3 push cs; retf 1_2_00076DC4
      Source: C:\Users\user\Yandex.exeCode function: 5_2_00076DC3 push cs; retf 5_2_00076DC4
      Source: C:\Users\user\Yandex.exeCode function: 6_2_00076DC3 push cs; retf 6_2_00076DC4
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: initial sampleStatic PE information: section where entry point is pointing to: .data
      Source: initial sampleStatic PE information: section name: entropy: 7.92098871266
      Source: initial sampleStatic PE information: section name: .data entropy: 7.98017185611
      Source: initial sampleStatic PE information: section name: entropy: 7.92098871266
      Source: initial sampleStatic PE information: section name: .data entropy: 7.98017185611
      Source: initial sampleStatic PE information: section name: entropy: 7.92098871266
      Source: initial sampleStatic PE information: section name: .data entropy: 7.98017185611
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile created: C:\Users\user\Yandex.exeJump to dropped file
      Source: C:\Users\user\Yandex.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJump to dropped file
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile created: C:\Users\user\Yandex.exeJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the startup folderShow sources
      Source: C:\Users\user\Yandex.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJump to dropped file
      Creates autostart registry keys with suspicious namesShow sources
      Source: C:\Users\user\Yandex.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36Jump to behavior
      Drops PE files to the user root directoryShow sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile created: C:\Users\user\Yandex.exeJump to dropped file
      Source: C:\Users\user\Yandex.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJump to behavior
      Source: C:\Users\user\Yandex.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJump to behavior
      Source: C:\Users\user\Yandex.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36Jump to behavior
      Source: C:\Users\user\Yandex.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36Jump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Changes the view of files in windows explorer (hidden files and folders)Show sources
      Source: C:\Users\user\Yandex.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to evade analysis by execution special instruction which cause usermode exceptionShow sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeSpecial instruction interceptor: First address: 0000000001030700 instructions 0F0B caused by: Known instruction #UD exception
      Source: C:\Users\user\Yandex.exeSpecial instruction interceptor: First address: 0000000000180700 instructions 0F0B caused by: Known instruction #UD exception
      Source: C:\Users\user\Desktop\E0QkjJowwG.exe TID: 5480Thread sleep count: 76 > 30Jump to behavior
      Source: C:\Users\user\Yandex.exe TID: 5104Thread sleep time: -48000s >= -30000sJump to behavior
      Source: C:\Users\user\Yandex.exe TID: 3648Thread sleep time: -34000s >= -30000sJump to behavior
      Source: C:\Users\user\Yandex.exe TID: 5416Thread sleep count: 76 > 30Jump to behavior
      Source: C:\Users\user\Yandex.exe TID: 5416Thread sleep count: 322 > 30Jump to behavior
      Source: C:\Users\user\Yandex.exe TID: 4756Thread sleep count: 586 > 30Jump to behavior
      Source: C:\Users\user\Yandex.exe TID: 4756Thread sleep count: 51 > 30Jump to behavior
      Source: C:\Users\user\Yandex.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Yandex.exeWindow / User API: threadDelayed 362Jump to behavior
      Source: C:\Users\user\Yandex.exeWindow / User API: threadDelayed 6086Jump to behavior
      Source: C:\Users\user\Yandex.exeWindow / User API: threadDelayed 608Jump to behavior
      Source: C:\Users\user\Yandex.exeWindow / User API: threadDelayed 586Jump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information queried: ProcessInformationJump to behavior
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: #Windows 10 Microsoft Hyper-V Server
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Microsoft Hyper-V Server
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: "Windows 8 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Hyper-V (guest)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Microsoft Hyper-V Server
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396880289.00000000001FC000.00000040.00020000.sdmpBinary or memory string: ~VirtualMachineTypes
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396880289.00000000001FC000.00000040.00020000.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305995650.00000000010AC000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396880289.00000000001FC000.00000040.00020000.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: )Windows 8 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: %Windows 2012 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: $Windows 8.1 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: ,Windows 2012 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Microsoft Hyper-V Server
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: %Windows 2016 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: +Windows 8.1 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: ,Windows 2016 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: VBoxService.exe
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Hyper-VU
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: *Windows 10 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: VMWare
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Yandex.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      .NET source code references suspicious native API functionsShow sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: 1.2.Yandex.exe.70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 1.2.Yandex.exe.70000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: 5.2.Yandex.exe.70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 5.2.Yandex.exe.70000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: 6.2.Yandex.exe.70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 6.2.Yandex.exe.70000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: 7.2.Yandex.exe.70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 7.2.Yandex.exe.70000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' Jump to behavior
      Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: Yandex.exe, 00000001.00000002.558616833.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: Program Manager|9
      Source: Yandex.exe, 00000001.00000002.558616833.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: Program Manager<
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Yandex.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Uses netsh to modify the Windows network and firewall settingsShow sources
      Source: C:\Users\user\Yandex.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE
      Modifies the windows firewallShow sources
      Source: C:\Users\user\Yandex.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE

      Stealing of Sensitive Information:

      barindex
      Yara detected NjratShow sources
      Source: Yara matchFile source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Yara detected NjratShow sources
      Source: Yara matchFile source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Replication Through Removable Media11Native API1Startup Items1Startup Items1Masquerading111Input Capture11Security Software Discovery31Replication Through Removable Media11Input Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder221Process Injection12Virtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder221Disable or Modify Tools21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsPeripheral Device Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing32DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492550 Sample: E0QkjJowwG Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 32 8.tcp.ngrok.io 2->32 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 11 other signatures 2->46 9 E0QkjJowwG.exe 3 4 2->9         started        13 Yandex.exe 2 2->13         started        15 Yandex.exe 2 2->15         started        17 Yandex.exe 2 2->17         started        signatures3 process4 file5 30 C:\Users\user\Yandex.exe, PE32 9->30 dropped 56 Detected unpacking (changes PE section rights) 9->56 58 Detected unpacking (overwrites its own PE header) 9->58 60 Drops PE files to the user root directory 9->60 62 Tries to evade analysis by execution special instruction which cause usermode exception 9->62 19 Yandex.exe 4 5 9->19         started        64 Hides threads from debuggers 13->64 signatures6 process7 dnsIp8 34 13.58.157.220, 12549, 49706, 49714 AMAZON-02US United States 19->34 36 3.142.129.56, 12549, 49693, 49694 AMAZON-02US United States 19->36 38 4 other IPs or domains 19->38 28 C:\...\33a62d2d2e6f6fc30153b1b0408eca36.exe, PE32 19->28 dropped 48 Antivirus detection for dropped file 19->48 50 Multi AV Scanner detection for dropped file 19->50 52 Detected unpacking (changes PE section rights) 19->52 54 9 other signatures 19->54 24 netsh.exe 1 3 19->24         started        file9 signatures10 process11 process12 26 conhost.exe 24->26         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      E0QkjJowwG.exe43%VirustotalBrowse
      E0QkjJowwG.exe34%MetadefenderBrowse
      E0QkjJowwG.exe60%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
      E0QkjJowwG.exe100%AviraHEUR/AGEN.1142875
      E0QkjJowwG.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe100%AviraHEUR/AGEN.1142875
      C:\Users\user\Yandex.exe100%AviraHEUR/AGEN.1142875
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe100%Joe Sandbox ML
      C:\Users\user\Yandex.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe34%MetadefenderBrowse
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe60%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
      C:\Users\user\Yandex.exe34%MetadefenderBrowse
      C:\Users\user\Yandex.exe60%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      5.2.Yandex.exe.a0000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
      6.2.Yandex.exe.70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      1.2.Yandex.exe.70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      6.0.Yandex.exe.70000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      0.2.E0QkjJowwG.exe.f20000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      7.2.Yandex.exe.70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      5.2.Yandex.exe.70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      5.0.Yandex.exe.70000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      0.2.E0QkjJowwG.exe.f50000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
      1.2.Yandex.exe.a0000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
      1.0.Yandex.exe.70000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      7.0.Yandex.exe.70000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      0.0.E0QkjJowwG.exe.f20000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      6.2.Yandex.exe.a0000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
      7.2.Yandex.exe.a0000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.enigmaprotector.com/0%URL Reputationsafe
      http://pki-ocsp.symauth.com00%URL Reputationsafe
      http://www.enigmaprotector.com/openU0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      8.tcp.ngrok.io
      		3.19.130.43
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crE0QkjJowwG.exefalse
          		high
          http://www.enigmaprotector.com/Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://pki-ocsp.symauth.com0E0QkjJowwG.exefalse
          • URL Reputation: safe
          		unknown
          http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07E0QkjJowwG.exefalse
            		high
            http://www.enigmaprotector.com/openUE0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpfalse
            • URL Reputation: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            3.142.129.56
            		unknownUnited States
            		16509AMAZON-02UStrue
            3.142.81.166
            		unknownUnited States
            		16509AMAZON-02UStrue
            3.142.167.4
            		unknownUnited States
            		16509AMAZON-02UStrue
            3.19.130.43
            		8.tcp.ngrok.ioUnited States
            		16509AMAZON-02USfalse
            13.58.157.220
            		unknownUnited States
            		16509AMAZON-02UStrue
            3.142.167.54
            		unknownUnited States
            		16509AMAZON-02UStrue

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:492550
            Start date:28.09.2021
            Start time:20:03:17
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 12m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:E0QkjJowwG (renamed file extension from none to exe)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:12
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.spre.troj.adwa.spyw.evad.winEXE@9/3@32/6
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 88.1% (good quality ratio 83%)
            • Quality average: 77.9%
            • Quality standard deviation: 27.8%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 8.253.207.121, 8.248.119.254, 8.238.85.126, 67.26.139.254, 8.248.139.254
            • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, wu-shim.trafficmanager.net, ctldl.windowsupdate.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            20:04:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36 "C:\Users\user\Yandex.exe" ..
            20:04:41AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36 "C:\Users\user\Yandex.exe" ..
            20:04:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36 "C:\Users\user\Yandex.exe" ..
            20:04:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe
            Process:C:\Users\user\Yandex.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1246208
            Entropy (8bit):7.913768279846037
            Encrypted:false
            SSDEEP:24576:e5Cunz2U3pf2TDdQc1BSLppkpYTBFf4obQ4E7x12VludRAgxlJ:27f2TG+BSdpkqTBFpbVE7xYudOMl
            MD5:A1B69800AEB7ECBC49EBB13CE4A88737
            SHA1:96E25AED75903A5A84BE3175C6E834A44833BC5D
            SHA-256:09BC9C08F80F93317CD8769F85D8921787C677033A5B12A6C310FB92D83F6E41
            SHA-512:D4D5112B5F7C7ED676B2D41828B25A339A39235AAF8DE51BC1CFDD35A73ACF279CD3E7AC0434F93EAF20D35F9A5173FF0C49987B6D5B8E4E03131C29DEDC20C5
            Malicious:true
            Yara Hits:
            • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe, Author: Florian Roth
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Metadefender, Detection: 34%, Browse
            • Antivirus: ReversingLabs, Detection: 60%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................z...........:.. ........@.. ........................:.. ........@... .. .... .. .................. P,..............................P,.................................................................................................. ...<... ..............@............ ...........\..............@............ ...........^..............@....rsrc.... ...........`..............@............ )..........l..............@....data........ ,......T..............@............................................b0..J.6$.r..(........................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\Yandex.exe
            Process:C:\Users\user\Desktop\E0QkjJowwG.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1246208
            Entropy (8bit):7.913768279846037
            Encrypted:false
            SSDEEP:24576:e5Cunz2U3pf2TDdQc1BSLppkpYTBFf4obQ4E7x12VludRAgxlJ:27f2TG+BSdpkqTBFpbVE7xYudOMl
            MD5:A1B69800AEB7ECBC49EBB13CE4A88737
            SHA1:96E25AED75903A5A84BE3175C6E834A44833BC5D
            SHA-256:09BC9C08F80F93317CD8769F85D8921787C677033A5B12A6C310FB92D83F6E41
            SHA-512:D4D5112B5F7C7ED676B2D41828B25A339A39235AAF8DE51BC1CFDD35A73ACF279CD3E7AC0434F93EAF20D35F9A5173FF0C49987B6D5B8E4E03131C29DEDC20C5
            Malicious:true
            Yara Hits:
            • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\Yandex.exe, Author: Florian Roth
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Metadefender, Detection: 34%, Browse
            • Antivirus: ReversingLabs, Detection: 60%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................z...........:.. ........@.. ........................:.. ........@... .. .... .. .................. P,..............................P,.................................................................................................. ...<... ..............@............ ...........\..............@............ ...........^..............@....rsrc.... ...........`..............@............ )..........l..............@....data........ ,......T..............@............................................b0..J.6$.r..(........................................................................................................................................................................................................................................................................................................................................
            \Device\ConDrv
            Process:C:\Windows\SysWOW64\netsh.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):313
            Entropy (8bit):4.971939296804078
            Encrypted:false
            SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
            MD5:689E2126A85BF55121488295EE068FA1
            SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
            SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
            SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
            Malicious:false
            Reputation:unknown
            Preview: ..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.913768279846037
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.94%
            • Win16/32 Executable Delphi generic (2074/23) 0.02%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:E0QkjJowwG.exe
            File size:1246208
            MD5:a1b69800aeb7ecbc49ebb13ce4a88737
            SHA1:96e25aed75903a5a84be3175c6e834a44833bc5d
            SHA256:09bc9c08f80f93317cd8769f85d8921787c677033a5b12a6c310fb92d83f6e41
            SHA512:d4d5112b5f7c7ed676b2d41828b25a339a39235aaf8de51bc1cfdd35a73acf279cd3e7ac0434f93eaf20d35f9a5173ff0c49987b6d5b8e4e03131c29dedc20c5
            SSDEEP:24576:e5Cunz2U3pf2TDdQc1BSLppkpYTBFf4obQ4E7x12VludRAgxlJ:27f2TG+BSdpkqTBFpbVE7xYudOMl
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................z............:.. ........@.. ........................:.. ........@... .. .... .. .................

            File Icon

            Icon Hash:70c09286acceec31

            Static PE Info

            General

            Entrypoint:0x7ab9ec
            Entrypoint Section:.data
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
            Time Stamp:0x610909D1 [Tue Aug 3 09:18:09 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:2e5467cba76f44a088d39f78c5e807b6

            Entrypoint Preview

            Instruction
            jmp 00007F91C0E9A83Ah
            add byte ptr [esp+eax+00h], dl
            add byte ptr [eax], al
            add byte ptr [eax], al
            pushad
            call 00007F91C0E9A835h
            pop ebp
            sub ebp, 00000010h
            sub ebp, 003AB9ECh
            jmp 00007F91C0E9A839h
            xlatb
            mov cl, D8h
            sbb eax, 3AB9ECB8h
            add byte ptr [ebx], al
            lds eax, fword ptr [ecx+00004CC0h]
            add byte ptr [ecx+000005C0h], bh
            mov edx, D833A21Dh
            xor byte ptr [eax], dl
            inc eax
            dec ecx
            jne 00007F91C0E9A82Ch
            jmp 00007F91C0E9A839h
            and eax, 9682B3C4h
            rcl byte ptr [esi+1D1D2194h], 1
            sbb eax, 1DE5DC9Ch
            sbb eax, A5D01E1Dh
            sbb dword ptr [35A71D1Dh], ebx
            sbb eax, FFEA1D1Dh
            push ds
            aad 96h
            pushfd
            adc dword ptr [D81E1D1Dh], ebx
            dec ebp
            dec ebp
            jne 00007F91C0E9A7CFh
            jp 00007F91C0E9A845h
            sbb eax, 314F7775h
            sbb eax, 7539311Ch
            shl byte ptr [ecx], 1
            sti
            dec esi
            cmc
            sbb byte ptr [37F41D1Dh], bl
            sbb eax, 90481D1Dh
            jno 00007F91C0E9A86Bh
            sbb eax, 1D159896h
            sbb eax, 1188961Dh
            sbb eax, 90961D1Dh
            or eax, DC1D1D1Dh
            hlt
            pop ds
            sub al, 1Fh
            sahf
            fistp word ptr [ecx]
            push esp
            adc bl, byte ptr [eax-1D1D1D17h]
            inc eax
            fist word ptr [ecx]
            sbb eax, 19399196h
            sbb eax, 9D751D1Dh

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x2c50200x210.data
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e0000x10b0c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c50000xc.data
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            0x20000x80000x3c00False0.970572916667data7.92098871266IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            0xa0000x120000x200False0.072265625data0.487890975135IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            0x1c0000x20000x200False0.056640625data0.321716074313IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x1e0000x120000x10c00False0.185867537313data4.58721100046IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            0x300000x2920000x2e800unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .data0x2c20000xec0000xeb000False0.987041846742data7.98017185611IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x1e0e80x10828dBase III DBT, version number 0, next free block index 40
            RT_GROUP_ICON0x2e9100x14data
            RT_MANIFEST0x2e9240x1e7XML 1.0 document, ASCII text, with CRLF line terminators

            Imports

            DLLImport
            kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
            user32.dllMessageBoxA
            advapi32.dllRegCloseKey
            oleaut32.dllSysFreeString
            gdi32.dllCreateFontA
            shell32.dllShellExecuteA
            version.dllGetFileVersionInfoA
            mscoree.dll_CorExeMain

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            09/28/21-20:04:32.486838UDP254DNS SPOOF query response with TTL of 1 min. and no authority53604968.8.8.8192.168.2.3
            09/28/21-20:04:43.011013UDP254DNS SPOOF query response with TTL of 1 min. and no authority53621518.8.8.8192.168.2.3
            09/28/21-20:04:50.439909UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495398.8.8.8192.168.2.3
            09/28/21-20:04:54.112899UDP254DNS SPOOF query response with TTL of 1 min. and no authority53575588.8.8.8192.168.2.3
            09/28/21-20:05:11.955219UDP254DNS SPOOF query response with TTL of 1 min. and no authority53580458.8.8.8192.168.2.3
            09/28/21-20:05:15.454923UDP254DNS SPOOF query response with TTL of 1 min. and no authority53574598.8.8.8192.168.2.3
            09/28/21-20:05:22.686753UDP254DNS SPOOF query response with TTL of 1 min. and no authority53541548.8.8.8192.168.2.3
            09/28/21-20:05:26.417990UDP254DNS SPOOF query response with TTL of 1 min. and no authority53528068.8.8.8192.168.2.3
            09/28/21-20:05:58.855200UDP254DNS SPOOF query response with TTL of 1 min. and no authority53521308.8.8.8192.168.2.3
            09/28/21-20:06:13.000628UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495598.8.8.8192.168.2.3
            09/28/21-20:06:20.264329UDP254DNS SPOOF query response with TTL of 1 min. and no authority53632978.8.8.8192.168.2.3

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 28, 2021 20:04:32.494705915 CEST4969012549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:32.646075964 CEST12549496903.19.130.43192.168.2.3
            Sep 28, 2021 20:04:33.152524948 CEST4969012549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:33.301923037 CEST12549496903.19.130.43192.168.2.3
            Sep 28, 2021 20:04:33.809551954 CEST4969012549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:33.958230019 CEST12549496903.19.130.43192.168.2.3
            Sep 28, 2021 20:04:36.009938002 CEST4969112549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:36.158320904 CEST12549496913.19.130.43192.168.2.3
            Sep 28, 2021 20:04:36.669785976 CEST4969112549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:36.818339109 CEST12549496913.19.130.43192.168.2.3
            Sep 28, 2021 20:04:37.324877024 CEST4969112549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:37.474112988 CEST12549496913.19.130.43192.168.2.3
            Sep 28, 2021 20:04:39.509716988 CEST4969212549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:39.657840014 CEST12549496923.19.130.43192.168.2.3
            Sep 28, 2021 20:04:40.168752909 CEST4969212549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:40.316986084 CEST12549496923.19.130.43192.168.2.3
            Sep 28, 2021 20:04:40.825207949 CEST4969212549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:40.973334074 CEST12549496923.19.130.43192.168.2.3
            Sep 28, 2021 20:04:43.013307095 CEST4969312549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:43.162750959 CEST12549496933.142.129.56192.168.2.3
            Sep 28, 2021 20:04:43.670242071 CEST4969312549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:43.820327997 CEST12549496933.142.129.56192.168.2.3
            Sep 28, 2021 20:04:44.325480938 CEST4969312549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:44.474318981 CEST12549496933.142.129.56192.168.2.3
            Sep 28, 2021 20:04:46.514872074 CEST4969412549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:46.663427114 CEST12549496943.142.129.56192.168.2.3
            Sep 28, 2021 20:04:47.169485092 CEST4969412549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:47.317873955 CEST12549496943.142.129.56192.168.2.3
            Sep 28, 2021 20:04:47.825602055 CEST4969412549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:48.120898008 CEST12549496943.142.129.56192.168.2.3
            Sep 28, 2021 20:04:50.589143991 CEST4969512549192.168.2.33.142.81.166
            Sep 28, 2021 20:04:50.738152981 CEST12549496953.142.81.166192.168.2.3
            Sep 28, 2021 20:04:51.248143911 CEST4969512549192.168.2.33.142.81.166
            Sep 28, 2021 20:04:51.397202969 CEST12549496953.142.81.166192.168.2.3
            Sep 28, 2021 20:04:51.906282902 CEST4969512549192.168.2.33.142.81.166
            Sep 28, 2021 20:04:52.055583954 CEST12549496953.142.81.166192.168.2.3
            Sep 28, 2021 20:04:54.115447044 CEST4969612549192.168.2.33.142.167.4
            Sep 28, 2021 20:04:54.264077902 CEST12549496963.142.167.4192.168.2.3
            Sep 28, 2021 20:04:54.763753891 CEST4969612549192.168.2.33.142.167.4
            Sep 28, 2021 20:04:54.912102938 CEST12549496963.142.167.4192.168.2.3
            Sep 28, 2021 20:04:55.420063972 CEST4969612549192.168.2.33.142.167.4
            Sep 28, 2021 20:04:55.569694996 CEST12549496963.142.167.4192.168.2.3
            Sep 28, 2021 20:04:57.606873989 CEST4969712549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:57.755604982 CEST12549496973.19.130.43192.168.2.3
            Sep 28, 2021 20:04:58.264122963 CEST4969712549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:58.413053989 CEST12549496973.19.130.43192.168.2.3
            Sep 28, 2021 20:04:58.920432091 CEST4969712549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:59.069017887 CEST12549496973.19.130.43192.168.2.3
            Sep 28, 2021 20:05:01.104893923 CEST4969812549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:01.253823042 CEST12549496983.142.167.4192.168.2.3
            Sep 28, 2021 20:05:01.764389992 CEST4969812549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:01.916882992 CEST12549496983.142.167.4192.168.2.3
            Sep 28, 2021 20:05:02.420602083 CEST4969812549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:02.569538116 CEST12549496983.142.167.4192.168.2.3
            Sep 28, 2021 20:05:04.752793074 CEST4970012549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:04.900978088 CEST12549497003.142.167.4192.168.2.3
            Sep 28, 2021 20:05:05.405242920 CEST4970012549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:05.553455114 CEST12549497003.142.167.4192.168.2.3
            Sep 28, 2021 20:05:06.061832905 CEST4970012549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:06.209996939 CEST12549497003.142.167.4192.168.2.3
            Sep 28, 2021 20:05:08.449039936 CEST4970112549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:08.597362041 CEST12549497013.19.130.43192.168.2.3
            Sep 28, 2021 20:05:09.108802080 CEST4970112549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:09.257083893 CEST12549497013.19.130.43192.168.2.3
            Sep 28, 2021 20:05:09.764964104 CEST4970112549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:09.913146973 CEST12549497013.19.130.43192.168.2.3
            Sep 28, 2021 20:05:11.957526922 CEST4970212549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:12.106084108 CEST12549497023.19.130.43192.168.2.3
            Sep 28, 2021 20:05:12.608983040 CEST4970212549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:12.757340908 CEST12549497023.19.130.43192.168.2.3
            Sep 28, 2021 20:05:13.265381098 CEST4970212549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:13.414545059 CEST12549497023.19.130.43192.168.2.3
            Sep 28, 2021 20:05:15.456262112 CEST4970312549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:15.604578972 CEST12549497033.19.130.43192.168.2.3
            Sep 28, 2021 20:05:16.109292030 CEST4970312549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:16.257626057 CEST12549497033.19.130.43192.168.2.3
            Sep 28, 2021 20:05:16.765732050 CEST4970312549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:16.914838076 CEST12549497033.19.130.43192.168.2.3
            Sep 28, 2021 20:05:18.951183081 CEST4970412549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:19.099478006 CEST12549497043.19.130.43192.168.2.3
            Sep 28, 2021 20:05:19.609648943 CEST4970412549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:19.759922981 CEST12549497043.19.130.43192.168.2.3
            Sep 28, 2021 20:05:20.265989065 CEST4970412549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:20.416990995 CEST12549497043.19.130.43192.168.2.3
            Sep 28, 2021 20:05:22.689666033 CEST4970512549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:22.838098049 CEST12549497053.19.130.43192.168.2.3
            Sep 28, 2021 20:05:23.344409943 CEST4970512549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:23.493143082 CEST12549497053.19.130.43192.168.2.3
            Sep 28, 2021 20:05:24.000622034 CEST4970512549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:24.148941040 CEST12549497053.19.130.43192.168.2.3
            Sep 28, 2021 20:05:26.423860073 CEST4970612549192.168.2.313.58.157.220
            Sep 28, 2021 20:05:26.578692913 CEST125494970613.58.157.220192.168.2.3
            Sep 28, 2021 20:05:27.079024076 CEST4970612549192.168.2.313.58.157.220
            Sep 28, 2021 20:05:27.227451086 CEST125494970613.58.157.220192.168.2.3
            Sep 28, 2021 20:05:27.735289097 CEST4970612549192.168.2.313.58.157.220
            Sep 28, 2021 20:05:27.884355068 CEST125494970613.58.157.220192.168.2.3
            Sep 28, 2021 20:05:29.928553104 CEST4970712549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:30.077085972 CEST12549497073.142.167.4192.168.2.3
            Sep 28, 2021 20:05:30.579598904 CEST4970712549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:30.728188992 CEST12549497073.142.167.4192.168.2.3
            Sep 28, 2021 20:05:31.235717058 CEST4970712549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:31.384166956 CEST12549497073.142.167.4192.168.2.3
            Sep 28, 2021 20:05:33.428797960 CEST4970812549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:33.577296019 CEST12549497083.19.130.43192.168.2.3
            Sep 28, 2021 20:05:34.079735041 CEST4970812549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:34.228074074 CEST12549497083.19.130.43192.168.2.3
            Sep 28, 2021 20:05:34.735927105 CEST4970812549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:34.884171009 CEST12549497083.19.130.43192.168.2.3
            Sep 28, 2021 20:05:36.922452927 CEST4970912549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:37.070593119 CEST12549497093.19.130.43192.168.2.3
            Sep 28, 2021 20:05:37.579845905 CEST4970912549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:37.731232882 CEST12549497093.19.130.43192.168.2.3
            Sep 28, 2021 20:05:38.236320972 CEST4970912549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:38.384526014 CEST12549497093.19.130.43192.168.2.3
            Sep 28, 2021 20:05:40.544183016 CEST4971012549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:40.692198038 CEST12549497103.19.130.43192.168.2.3
            Sep 28, 2021 20:05:41.205280066 CEST4971012549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:41.353593111 CEST12549497103.19.130.43192.168.2.3
            Sep 28, 2021 20:05:41.861437082 CEST4971012549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:42.010606050 CEST12549497103.19.130.43192.168.2.3
            Sep 28, 2021 20:05:44.592606068 CEST4971112549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:44.741982937 CEST12549497113.142.167.4192.168.2.3
            Sep 28, 2021 20:05:45.252464056 CEST4971112549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:45.402105093 CEST12549497113.142.167.4192.168.2.3
            Sep 28, 2021 20:05:45.909961939 CEST4971112549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:46.058607101 CEST12549497113.142.167.4192.168.2.3
            Sep 28, 2021 20:05:48.093449116 CEST4971212549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:48.242109060 CEST12549497123.19.130.43192.168.2.3
            Sep 28, 2021 20:05:48.752821922 CEST4971212549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:48.901232004 CEST12549497123.19.130.43192.168.2.3
            Sep 28, 2021 20:05:49.413161993 CEST4971212549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:49.561177015 CEST12549497123.19.130.43192.168.2.3
            Sep 28, 2021 20:05:51.596076965 CEST4971312549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:51.744317055 CEST12549497133.19.130.43192.168.2.3
            Sep 28, 2021 20:05:52.253144979 CEST4971312549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:52.401623011 CEST12549497133.19.130.43192.168.2.3
            Sep 28, 2021 20:05:52.909415007 CEST4971312549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:53.058000088 CEST12549497133.19.130.43192.168.2.3
            Sep 28, 2021 20:05:55.155314922 CEST4971412549192.168.2.313.58.157.220
            Sep 28, 2021 20:05:55.304626942 CEST125494971413.58.157.220192.168.2.3
            Sep 28, 2021 20:05:55.815992117 CEST4971412549192.168.2.313.58.157.220
            Sep 28, 2021 20:05:55.964524984 CEST125494971413.58.157.220192.168.2.3
            Sep 28, 2021 20:05:56.472197056 CEST4971412549192.168.2.313.58.157.220
            Sep 28, 2021 20:05:56.621046066 CEST125494971413.58.157.220192.168.2.3
            Sep 28, 2021 20:05:58.858783007 CEST4971512549192.168.2.33.142.167.54
            Sep 28, 2021 20:05:59.007968903 CEST12549497153.142.167.54192.168.2.3
            Sep 28, 2021 20:05:59.519787073 CEST4971512549192.168.2.33.142.167.54
            Sep 28, 2021 20:05:59.668797970 CEST12549497153.142.167.54192.168.2.3
            Sep 28, 2021 20:06:00.178035975 CEST4971512549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:00.327766895 CEST12549497153.142.167.54192.168.2.3
            Sep 28, 2021 20:06:02.365755081 CEST4971612549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:02.514379025 CEST12549497163.142.167.54192.168.2.3
            Sep 28, 2021 20:06:03.019579887 CEST4971612549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:03.168299913 CEST12549497163.142.167.54192.168.2.3
            Sep 28, 2021 20:06:03.675877094 CEST4971612549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:03.824569941 CEST12549497163.142.167.54192.168.2.3
            Sep 28, 2021 20:06:05.866127014 CEST4971712549192.168.2.33.19.130.43
            Sep 28, 2021 20:06:06.014496088 CEST12549497173.19.130.43192.168.2.3
            Sep 28, 2021 20:06:06.519993067 CEST4971712549192.168.2.33.19.130.43
            Sep 28, 2021 20:06:06.668236017 CEST12549497173.19.130.43192.168.2.3
            Sep 28, 2021 20:06:07.176172018 CEST4971712549192.168.2.33.19.130.43
            Sep 28, 2021 20:06:07.330302954 CEST12549497173.19.130.43192.168.2.3
            Sep 28, 2021 20:06:09.378698111 CEST4971812549192.168.2.33.19.130.43
            Sep 28, 2021 20:06:09.528960943 CEST12549497183.19.130.43192.168.2.3
            Sep 28, 2021 20:06:10.059798002 CEST4971812549192.168.2.33.19.130.43
            Sep 28, 2021 20:06:10.233098030 CEST12549497183.19.130.43192.168.2.3
            Sep 28, 2021 20:06:10.780457973 CEST4971812549192.168.2.33.19.130.43
            Sep 28, 2021 20:06:10.943317890 CEST12549497183.19.130.43192.168.2.3
            Sep 28, 2021 20:06:13.012825012 CEST4971912549192.168.2.33.19.130.43
            Sep 28, 2021 20:06:13.160945892 CEST12549497193.19.130.43192.168.2.3
            Sep 28, 2021 20:06:13.675844908 CEST4971912549192.168.2.33.19.130.43
            Sep 28, 2021 20:06:13.823941946 CEST12549497193.19.130.43192.168.2.3
            Sep 28, 2021 20:06:14.350903034 CEST4971912549192.168.2.33.19.130.43
            Sep 28, 2021 20:06:14.500524044 CEST12549497193.19.130.43192.168.2.3
            Sep 28, 2021 20:06:16.778383970 CEST4972012549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:16.928380966 CEST12549497203.142.167.54192.168.2.3
            Sep 28, 2021 20:06:17.431736946 CEST4972012549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:17.581737041 CEST12549497203.142.167.54192.168.2.3
            Sep 28, 2021 20:06:18.087188005 CEST4972012549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:18.235991955 CEST12549497203.142.167.54192.168.2.3
            Sep 28, 2021 20:06:20.265103102 CEST4972112549192.168.2.33.142.129.56
            Sep 28, 2021 20:06:20.413575888 CEST12549497213.142.129.56192.168.2.3
            Sep 28, 2021 20:06:20.927432060 CEST4972112549192.168.2.33.142.129.56
            Sep 28, 2021 20:06:21.075870991 CEST12549497213.142.129.56192.168.2.3
            Sep 28, 2021 20:06:21.584175110 CEST4972112549192.168.2.33.142.129.56
            Sep 28, 2021 20:06:21.732722998 CEST12549497213.142.129.56192.168.2.3
            Sep 28, 2021 20:06:23.762461901 CEST4972212549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:23.911540031 CEST12549497223.142.167.54192.168.2.3
            Sep 28, 2021 20:06:24.412148952 CEST4972212549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:24.561276913 CEST12549497223.142.167.54192.168.2.3
            Sep 28, 2021 20:06:25.068392992 CEST4972212549192.168.2.33.142.167.54
            Sep 28, 2021 20:06:25.217704058 CEST12549497223.142.167.54192.168.2.3

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 28, 2021 20:04:32.464540958 CEST6049653192.168.2.38.8.8.8
            Sep 28, 2021 20:04:32.486838102 CEST53604968.8.8.8192.168.2.3
            Sep 28, 2021 20:04:35.990257978 CEST5957953192.168.2.38.8.8.8
            Sep 28, 2021 20:04:36.007617950 CEST53595798.8.8.8192.168.2.3
            Sep 28, 2021 20:04:39.490201950 CEST5478153192.168.2.38.8.8.8
            Sep 28, 2021 20:04:39.507852077 CEST53547818.8.8.8192.168.2.3
            Sep 28, 2021 20:04:42.990324020 CEST6215153192.168.2.38.8.8.8
            Sep 28, 2021 20:04:43.011013031 CEST53621518.8.8.8192.168.2.3
            Sep 28, 2021 20:04:46.492119074 CEST5120953192.168.2.38.8.8.8
            Sep 28, 2021 20:04:46.511693001 CEST53512098.8.8.8192.168.2.3
            Sep 28, 2021 20:04:50.417612076 CEST4953953192.168.2.38.8.8.8
            Sep 28, 2021 20:04:50.439908981 CEST53495398.8.8.8192.168.2.3
            Sep 28, 2021 20:04:54.089463949 CEST5755853192.168.2.38.8.8.8
            Sep 28, 2021 20:04:54.112899065 CEST53575588.8.8.8192.168.2.3
            Sep 28, 2021 20:04:57.585732937 CEST5318753192.168.2.38.8.8.8
            Sep 28, 2021 20:04:57.604866028 CEST53531878.8.8.8192.168.2.3
            Sep 28, 2021 20:05:01.084588051 CEST5860453192.168.2.38.8.8.8
            Sep 28, 2021 20:05:01.102406979 CEST53586048.8.8.8192.168.2.3
            Sep 28, 2021 20:05:01.439946890 CEST5166853192.168.2.38.8.8.8
            Sep 28, 2021 20:05:01.457065105 CEST53516688.8.8.8192.168.2.3
            Sep 28, 2021 20:05:04.733242989 CEST5220653192.168.2.38.8.8.8
            Sep 28, 2021 20:05:04.751188993 CEST53522068.8.8.8192.168.2.3
            Sep 28, 2021 20:05:08.423963070 CEST5684453192.168.2.38.8.8.8
            Sep 28, 2021 20:05:08.443677902 CEST53568448.8.8.8192.168.2.3
            Sep 28, 2021 20:05:11.933850050 CEST5804553192.168.2.38.8.8.8
            Sep 28, 2021 20:05:11.955219030 CEST53580458.8.8.8192.168.2.3
            Sep 28, 2021 20:05:15.433373928 CEST5745953192.168.2.38.8.8.8
            Sep 28, 2021 20:05:15.454922915 CEST53574598.8.8.8192.168.2.3
            Sep 28, 2021 20:05:18.929981947 CEST5787553192.168.2.38.8.8.8
            Sep 28, 2021 20:05:18.949404001 CEST53578758.8.8.8192.168.2.3
            Sep 28, 2021 20:05:22.664371967 CEST5415453192.168.2.38.8.8.8
            Sep 28, 2021 20:05:22.686753035 CEST53541548.8.8.8192.168.2.3
            Sep 28, 2021 20:05:26.395843029 CEST5280653192.168.2.38.8.8.8
            Sep 28, 2021 20:05:26.417989969 CEST53528068.8.8.8192.168.2.3
            Sep 28, 2021 20:05:29.904227972 CEST5391053192.168.2.38.8.8.8
            Sep 28, 2021 20:05:29.924336910 CEST53539108.8.8.8192.168.2.3
            Sep 28, 2021 20:05:33.407552004 CEST6402153192.168.2.38.8.8.8
            Sep 28, 2021 20:05:33.427434921 CEST53640218.8.8.8192.168.2.3
            Sep 28, 2021 20:05:36.903136969 CEST6078453192.168.2.38.8.8.8
            Sep 28, 2021 20:05:36.920691013 CEST53607848.8.8.8192.168.2.3
            Sep 28, 2021 20:05:40.521313906 CEST5114353192.168.2.38.8.8.8
            Sep 28, 2021 20:05:40.541754007 CEST53511438.8.8.8192.168.2.3
            Sep 28, 2021 20:05:44.543060064 CEST5600953192.168.2.38.8.8.8
            Sep 28, 2021 20:05:44.562714100 CEST53560098.8.8.8192.168.2.3
            Sep 28, 2021 20:05:48.072393894 CEST5902653192.168.2.38.8.8.8
            Sep 28, 2021 20:05:48.091933012 CEST53590268.8.8.8192.168.2.3
            Sep 28, 2021 20:05:51.574587107 CEST4957253192.168.2.38.8.8.8
            Sep 28, 2021 20:05:51.594619036 CEST53495728.8.8.8192.168.2.3
            Sep 28, 2021 20:05:55.132102966 CEST6082353192.168.2.38.8.8.8
            Sep 28, 2021 20:05:55.154114962 CEST53608238.8.8.8192.168.2.3
            Sep 28, 2021 20:05:58.832813025 CEST5213053192.168.2.38.8.8.8
            Sep 28, 2021 20:05:58.855200052 CEST53521308.8.8.8192.168.2.3
            Sep 28, 2021 20:06:02.340394020 CEST5510253192.168.2.38.8.8.8
            Sep 28, 2021 20:06:02.361852884 CEST53551028.8.8.8192.168.2.3
            Sep 28, 2021 20:06:05.844444990 CEST5623653192.168.2.38.8.8.8
            Sep 28, 2021 20:06:05.864159107 CEST53562368.8.8.8192.168.2.3
            Sep 28, 2021 20:06:09.352875948 CEST5652753192.168.2.38.8.8.8
            Sep 28, 2021 20:06:09.373269081 CEST53565278.8.8.8192.168.2.3
            Sep 28, 2021 20:06:12.970681906 CEST4955953192.168.2.38.8.8.8
            Sep 28, 2021 20:06:13.000627995 CEST53495598.8.8.8192.168.2.3
            Sep 28, 2021 20:06:16.756254911 CEST5265053192.168.2.38.8.8.8
            Sep 28, 2021 20:06:16.776082039 CEST53526508.8.8.8192.168.2.3
            Sep 28, 2021 20:06:20.244434118 CEST6329753192.168.2.38.8.8.8
            Sep 28, 2021 20:06:20.264328957 CEST53632978.8.8.8192.168.2.3
            Sep 28, 2021 20:06:23.741792917 CEST5836153192.168.2.38.8.8.8
            Sep 28, 2021 20:06:23.761253119 CEST53583618.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Sep 28, 2021 20:04:32.464540958 CEST192.168.2.38.8.8.80x453Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:35.990257978 CEST192.168.2.38.8.8.80x97b8Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:39.490201950 CEST192.168.2.38.8.8.80x1b5Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:42.990324020 CEST192.168.2.38.8.8.80x18eaStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:46.492119074 CEST192.168.2.38.8.8.80x5c16Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:50.417612076 CEST192.168.2.38.8.8.80x9793Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:54.089463949 CEST192.168.2.38.8.8.80x62d6Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:57.585732937 CEST192.168.2.38.8.8.80x3b62Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:01.084588051 CEST192.168.2.38.8.8.80xa907Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:04.733242989 CEST192.168.2.38.8.8.80xd04aStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:08.423963070 CEST192.168.2.38.8.8.80x1621Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:11.933850050 CEST192.168.2.38.8.8.80x6106Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:15.433373928 CEST192.168.2.38.8.8.80x62bdStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:18.929981947 CEST192.168.2.38.8.8.80x813dStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:22.664371967 CEST192.168.2.38.8.8.80xb69cStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:26.395843029 CEST192.168.2.38.8.8.80xe838Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:29.904227972 CEST192.168.2.38.8.8.80x3488Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:33.407552004 CEST192.168.2.38.8.8.80x666bStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:36.903136969 CEST192.168.2.38.8.8.80x9ecaStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:40.521313906 CEST192.168.2.38.8.8.80x7931Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:44.543060064 CEST192.168.2.38.8.8.80xcb20Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:48.072393894 CEST192.168.2.38.8.8.80x485Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:51.574587107 CEST192.168.2.38.8.8.80x65ffStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:55.132102966 CEST192.168.2.38.8.8.80x9d9fStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:58.832813025 CEST192.168.2.38.8.8.80x3be7Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:02.340394020 CEST192.168.2.38.8.8.80x9005Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:05.844444990 CEST192.168.2.38.8.8.80x5888Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:09.352875948 CEST192.168.2.38.8.8.80x1be3Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:12.970681906 CEST192.168.2.38.8.8.80xd553Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:16.756254911 CEST192.168.2.38.8.8.80xc9d8Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:20.244434118 CEST192.168.2.38.8.8.80x611aStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:23.741792917 CEST192.168.2.38.8.8.80xd1dbStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Sep 28, 2021 20:04:32.486838102 CEST8.8.8.8192.168.2.30x453No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:36.007617950 CEST8.8.8.8192.168.2.30x97b8No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:39.507852077 CEST8.8.8.8192.168.2.30x1b5No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:43.011013031 CEST8.8.8.8192.168.2.30x18eaNo error (0)8.tcp.ngrok.io3.142.129.56A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:46.511693001 CEST8.8.8.8192.168.2.30x5c16No error (0)8.tcp.ngrok.io3.142.129.56A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:50.439908981 CEST8.8.8.8192.168.2.30x9793No error (0)8.tcp.ngrok.io3.142.81.166A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:54.112899065 CEST8.8.8.8192.168.2.30x62d6No error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:57.604866028 CEST8.8.8.8192.168.2.30x3b62No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:01.102406979 CEST8.8.8.8192.168.2.30xa907No error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:04.751188993 CEST8.8.8.8192.168.2.30xd04aNo error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:08.443677902 CEST8.8.8.8192.168.2.30x1621No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:11.955219030 CEST8.8.8.8192.168.2.30x6106No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:15.454922915 CEST8.8.8.8192.168.2.30x62bdNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:18.949404001 CEST8.8.8.8192.168.2.30x813dNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:22.686753035 CEST8.8.8.8192.168.2.30xb69cNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:26.417989969 CEST8.8.8.8192.168.2.30xe838No error (0)8.tcp.ngrok.io13.58.157.220A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:29.924336910 CEST8.8.8.8192.168.2.30x3488No error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:33.427434921 CEST8.8.8.8192.168.2.30x666bNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:36.920691013 CEST8.8.8.8192.168.2.30x9ecaNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:40.541754007 CEST8.8.8.8192.168.2.30x7931No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:44.562714100 CEST8.8.8.8192.168.2.30xcb20No error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:48.091933012 CEST8.8.8.8192.168.2.30x485No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:51.594619036 CEST8.8.8.8192.168.2.30x65ffNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:55.154114962 CEST8.8.8.8192.168.2.30x9d9fNo error (0)8.tcp.ngrok.io13.58.157.220A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:58.855200052 CEST8.8.8.8192.168.2.30x3be7No error (0)8.tcp.ngrok.io3.142.167.54A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:02.361852884 CEST8.8.8.8192.168.2.30x9005No error (0)8.tcp.ngrok.io3.142.167.54A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:05.864159107 CEST8.8.8.8192.168.2.30x5888No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:09.373269081 CEST8.8.8.8192.168.2.30x1be3No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:13.000627995 CEST8.8.8.8192.168.2.30xd553No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:16.776082039 CEST8.8.8.8192.168.2.30xc9d8No error (0)8.tcp.ngrok.io3.142.167.54A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:20.264328957 CEST8.8.8.8192.168.2.30x611aNo error (0)8.tcp.ngrok.io3.142.129.56A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:23.761253119 CEST8.8.8.8192.168.2.30xd1dbNo error (0)8.tcp.ngrok.io3.142.167.54A (IP address)IN (0x0001)

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: E0QkjJowwG.exe PID: 2700 Parent PID: 4840

            General

            Start time:20:04:14
            Start date:28/09/2021
            Path:C:\Users\user\Desktop\E0QkjJowwG.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\E0QkjJowwG.exe'
            Imagebase:0xf20000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Chronological Activities

            Analysis Process: Yandex.exe PID: 3100 Parent PID: 2700

            General

            Start time:20:04:21
            Start date:28/09/2021
            Path:C:\Users\user\Yandex.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Yandex.exe'
            Imagebase:0x70000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\Yandex.exe, Author: Florian Roth
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 34%, Metadefender, Browse
            • Detection: 60%, ReversingLabs
            Reputation:low

            Chronological Activities

            Analysis Process: netsh.exe PID: 4492 Parent PID: 3100

            General

            Start time:20:04:29
            Start date:28/09/2021
            Path:C:\Windows\SysWOW64\netsh.exe
            Wow64 process (32bit):true
            Commandline:netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE
            Imagebase:0xe40000
            File size:82944 bytes
            MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: conhost.exe PID: 4292 Parent PID: 4492

            General

            Start time:20:04:30
            Start date:28/09/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7f20f0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: Yandex.exe PID: 4420 Parent PID: 3352

            General

            Start time:20:04:41
            Start date:28/09/2021
            Path:C:\Users\user\Yandex.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Yandex.exe' ..
            Imagebase:0x70000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Chronological Activities

            Analysis Process: Yandex.exe PID: 4796 Parent PID: 3352

            General

            Start time:20:04:50
            Start date:28/09/2021
            Path:C:\Users\user\Yandex.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Yandex.exe' ..
            Imagebase:0x70000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Chronological Activities

            Analysis Process: Yandex.exe PID: 4764 Parent PID: 3352

            General

            Start time:20:04:58
            Start date:28/09/2021
            Path:C:\Users\user\Yandex.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Yandex.exe' ..
            Imagebase:0x70000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Chronological Activities

            Disassembly

            Code Analysis

            Reset < >

              Analysis Process: E0QkjJowwG.exe PID: 2700 Parent PID: 4840 E0QkjJowwG.exeCOMMON

              Executed Functions

              Function 0103B3B0, Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Offset: 00F20000, based on PE: true
              • Associated: 00000000.00000002.305331975.0000000000F20000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.305354898.0000000000F3A000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.305366042.0000000000F3E000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.305959794.000000000109B000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.305987095.00000000010A7000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.305995650.00000000010AC000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.306045004.00000000010C8000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.306290413.00000000011E2000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.306303567.00000000011E5000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 377cb471caef7c534acada15cec020bfb8619f619a938883f864681187dbe1e3
              • Instruction ID: 9cf170626814ceca462d251029187de9969077d20a945b2d2b8b3a885efaccd4
              • Opcode Fuzzy Hash: 377cb471caef7c534acada15cec020bfb8619f619a938883f864681187dbe1e3
              • Instruction Fuzzy Hash: 4A1108707045448FD325CF28C4D4A55B7EBBBC6308F858276D58887398CF39AC45C794
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 010AE411, Relevance: 2.7, Strings: 2, Instructions: 187COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.305995650.00000000010AC000.00000040.00020000.sdmp, Offset: 00F20000, based on PE: true
              • Associated: 00000000.00000002.305331975.0000000000F20000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.305354898.0000000000F3A000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.305366042.0000000000F3E000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.305959794.000000000109B000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.305987095.00000000010A7000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.306045004.00000000010C8000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.306290413.00000000011E2000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.306303567.00000000011E5000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: X=~=$n=u=
              • API String ID: 0-4241731836
              • Opcode ID: c05899585913e9466d7496873f7ed8651ece0d51403958ad142644c7605ecc9b
              • Instruction ID: c43e94a6c90158667da2527afdd0fe1c86375cf64330e11e0e2871c2663e1a30
              • Opcode Fuzzy Hash: c05899585913e9466d7496873f7ed8651ece0d51403958ad142644c7605ecc9b
              • Instruction Fuzzy Hash: BD51263104D3C69FCBA39B7884952D2BFB2AE4B2103DA15EBC4C18F867D6215897D752
              Uniqueness

              Uniqueness Score: -1.00%

              Analysis Process: Yandex.exe PID: 3100 Parent PID: 2700 Yandex.exeCOMMON

              Executed Functions

              Function 000A5CC4, Relevance: 3.9, Strings: 3, Instructions: 184COMMON
              Download Yara Rule
              C-Code - Quality: 38%
              			E000A5CC4(intOrPtr __eax) {
				intOrPtr _v8;
				char _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				char _v28;
				char _v289;
				char* _t42;
				char _t49;
				char _t51;
				char _t54;
				char* _t55;
				char* _t56;
				char* _t59;
				char* _t61;
				char* _t63;
				char* _t68;
				char* _t73;
				char* _t77;
				char* _t82;
				void* _t83;
				intOrPtr _t87;
				char* _t95;
				void* _t98;
				void* _t100;
				intOrPtr _t101;

				_t98 = _t100;
				_t101 = _t100 + 0xfffffee0;
				_v8 = __eax;
				_push(0x105);
				_push( &_v289);
				_push(0);
				L000A12B4();
				_v22 = 0;
				_t42 =  &_v12;
				_push(_t42);
				_push("SOLUTION_EMBEDDEDSERVER");
				_push(0);
				_push("Software\\Borland\\Locales");
				_push(0x80000001); // executed
				L000A130C(); // executed
				if(_t42 == 0) {
					L3:
					_push(_t98);
					_push(0xa5dc9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t101;
					_v28 = 5;
					E000A5B0C( &_v289, 0x105);
					_push( &_v28);
					_push( &_v22);
					_push(0);
					_push(0);
					_push( &_v289);
					_t49 = _v12;
					_push(_t49);
					L000A1314();
					if(_t49 != 0) {
						_push( &_v28);
						_push( &_v22);
						_push(0);
						_push(0);
						_push(E000A5F30);
						_t54 = _v12;
						_push(_t54);
						L000A1314();
						if(_t54 != 0) {
							_v22 = 0;
						}
					}
					_v18 = 0;
					_pop(_t87);
					 *[fs:eax] = _t87;
					_push(E000A5DD0);
					_t51 = _v12;
					_push(_t51);
					L000A1304();
					return _t51;
				} else {
					_t55 =  &_v12;
					_push(_t55);
					_push("SOLUTION_EMBEDDEDSERVER");
					_push(0);
					_push("Software\\Borland\\Locales");
					_push(0x80000002); // executed
					L000A130C(); // executed
					if(_t55 == 0) {
						goto L3;
					} else {
						_t56 =  &_v12;
						_push(_t56);
						_push("SOLUTION_EMBEDDEDSERVER");
						_push(0);
						_push("Software\\Borland\\Delphi\\Locales");
						_push(0x80000001); // executed
						L000A130C(); // executed
						if(_t56 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L000A12EC();
							_push(5);
							_t59 =  &_v17;
							_push(_t59);
							_push(3);
							L000A12D4();
							_push(_t59);
							L000A12AC();
							_t95 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t61 =  &_v289;
								_push(_t61);
								L000A12F4();
								_t82 = _t61 +  &_v289;
								while( *_t82 != 0x2e && _t82 !=  &_v289) {
									_t82 = _t82 - 1;
								}
								_t63 =  &_v289;
								if(_t82 != _t63) {
									_t83 = _t82 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t83 - _t63);
										_push( &_v22);
										_push(_t83);
										L000A12EC();
										_push(2);
										_push(0);
										_t77 =  &_v289;
										_push(_t77);
										L000A12DC();
										_t95 = _t77;
									}
									if(_t95 == 0 && _v17 != 0) {
										_push(0x105 - _t83 -  &_v289);
										_push( &_v17);
										_push(_t83);
										L000A12EC();
										_push(2);
										_push(0);
										_t68 =  &_v289;
										_push(_t68); // executed
										L000A12DC(); // executed
										_t95 = _t68;
										if(_t95 == 0) {
											_v15 = 0;
											_push(0x105 - _t83 -  &_v289);
											_push( &_v17);
											_push(_t83);
											L000A12EC();
											_push(2);
											_push(0);
											_t73 =  &_v289;
											_push(_t73); // executed
											L000A12DC(); // executed
											_t95 = _t73;
										}
									}
								}
							}
							return _t95;
						} else {
							goto L3;
						}
					}
				}
			}






























              0x000a5cc5
              0x000a5cc7
              0x000a5ccf
              0x000a5cd2
              0x000a5cdd
              0x000a5cde
              0x000a5ce0
              0x000a5ce5
              0x000a5ce9
              0x000a5cec
              0x000a5ced
              0x000a5cf2
              0x000a5cf4
              0x000a5cf9
              0x000a5cfe
              0x000a5d05
              0x000a5d47
              0x000a5d49
              0x000a5d4a
              0x000a5d4f
              0x000a5d52
              0x000a5d55
              0x000a5d67
              0x000a5d6f
              0x000a5d73
              0x000a5d74
              0x000a5d76
              0x000a5d7e
              0x000a5d7f
              0x000a5d82
              0x000a5d83
              0x000a5d8a
              0x000a5d8f
              0x000a5d93
              0x000a5d94
              0x000a5d96
              0x000a5d98
              0x000a5d9d
              0x000a5da0
              0x000a5da1
              0x000a5da8
              0x000a5daa
              0x000a5daa
              0x000a5da8
              0x000a5dae
              0x000a5db4
              0x000a5db7
              0x000a5dba
              0x000a5dbf
              0x000a5dc2
              0x000a5dc3
              0x000a5dc8
              0x000a5d07
              0x000a5d07
              0x000a5d0a
              0x000a5d0b
              0x000a5d10
              0x000a5d12
              0x000a5d17
              0x000a5d1c
              0x000a5d23
              0x00000000
              0x000a5d25
              0x000a5d25
              0x000a5d28
              0x000a5d29
              0x000a5d2e
              0x000a5d30
              0x000a5d35
              0x000a5d3a
              0x000a5d41
              0x000a5dd0
              0x000a5dd8
              0x000a5ddf
              0x000a5de0
              0x000a5de5
              0x000a5de7
              0x000a5dea
              0x000a5deb
              0x000a5ded
              0x000a5df2
              0x000a5df3
              0x000a5df8
              0x000a5e01
              0x000a5e17
              0x000a5e1d
              0x000a5e1e
              0x000a5e2b
              0x000a5e30
              0x000a5e2f
              0x000a5e2f
              0x000a5e3f
              0x000a5e47
              0x000a5e4d
              0x000a5e52
              0x000a5e5f
              0x000a5e63
              0x000a5e64
              0x000a5e65
              0x000a5e6a
              0x000a5e6c
              0x000a5e6e
              0x000a5e74
              0x000a5e75
              0x000a5e7a
              0x000a5e7a
              0x000a5e7e
              0x000a5e97
              0x000a5e9b
              0x000a5e9c
              0x000a5e9d
              0x000a5ea2
              0x000a5ea4
              0x000a5ea6
              0x000a5eac
              0x000a5ead
              0x000a5eb2
              0x000a5eb6
              0x000a5eb8
              0x000a5ecd
              0x000a5ed1
              0x000a5ed2
              0x000a5ed3
              0x000a5ed8
              0x000a5eda
              0x000a5edc
              0x000a5ee2
              0x000a5ee3
              0x000a5ee8
              0x000a5ee8
              0x000a5eb6
              0x000a5e7e
              0x000a5e47
              0x000a5ef1
              0x00000000
              0x00000000
              0x00000000
              0x000a5d41
              0x000a5d23

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: SOLUTION_EMBEDDEDSERVER$Software\Borland\Delphi\Locales$Software\Borland\Locales
              • API String ID: 0-4128219596
              • Opcode ID: 4bcd3ff6a37c1a410891e19db531d7c383ceaeca5ea7dd5bffa0bd7f551a1692
              • Instruction ID: f8f6dbaf6a88d4e6ff58a6c38242cc647118b49c8a84fa8d28a3eee188bd52a4
              • Opcode Fuzzy Hash: 4bcd3ff6a37c1a410891e19db531d7c383ceaeca5ea7dd5bffa0bd7f551a1692
              • Instruction Fuzzy Hash: E6515175A0064C7AEB25D6E48C46FEF7BECAB05741F4000A5BA04E6182EAB4DF548BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A1A64, Relevance: 1.3, Strings: 1, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 63%
              			E000A1A64() {
				intOrPtr _t10;
				signed int _t12;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push("�I ");
				_push( *[fs:edx]);
				 *[fs:edx] = _t22;
				_push(0x1eb5cc);
				L000A13B8();
				if( *0x1eb04d != 0) {
					_push(0x1eb5cc);
					L000A13C0();
				}
				E000A1428(0x1eb5ec);
				E000A1428(0x1eb5fc);
				_t10 = E000A1428(0x1eb628);
				_push(0xff8);
				_push(0); // executed
				L000A1398(); // executed
				 *0x1eb624 = _t10;
				if( *0x1eb624 != 0) {
					_t12 = 3;
					do {
						_t19 =  *0x1eb624; // 0xaa17b8
						 *((intOrPtr*)(_t19 + _t12 * 4 - 0xc)) = 0;
						_t12 = _t12 + 1;
					} while (_t12 != 0x401);
					 *((intOrPtr*)(0x1eb610)) = 0x1eb60c;
					 *0x1eb60c = 0x1eb60c;
					 *0x1eb618 = 0x1eb60c;
					 *0x1eb5c4 = 1;
				}
				_pop(_t18);
				 *[fs:eax] = _t18;
				_push(E000A1B21);
				if( *0x1eb04d != 0) {
					_push(0x1eb5cc);
					L000A13C8();
					return 0;
				}
				return 0;
			}








              0x000a1a69
              0x000a1a6a
              0x000a1a6f
              0x000a1a72
              0x000a1a75
              0x000a1a7a
              0x000a1a86
              0x000a1a88
              0x000a1a8d
              0x000a1a8d
              0x000a1a97
              0x000a1aa1
              0x000a1aab
              0x000a1ab0
              0x000a1ab5
              0x000a1ab7
              0x000a1abc
              0x000a1ac8
              0x000a1aca
              0x000a1acf
              0x000a1acf
              0x000a1ad7
              0x000a1adb
              0x000a1adc
              0x000a1ae8
              0x000a1aeb
              0x000a1aed
              0x000a1af2
              0x000a1af2
              0x000a1afb
              0x000a1afe
              0x000a1b01
              0x000a1b0d
              0x000a1b0f
              0x000a1b14
              0x00000000
              0x000a1b14
              0x000a1b19

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: I
              • API String ID: 0-4276371480
              • Opcode ID: 121e3908fa5260c7663f38050afef91e7e1eff1eb31aaed711ef4019e0bbb2d8
              • Instruction ID: 237f882b25c5d5e274468a2d0e7cd189f094dd50f3f4779c80cf88a40be7c5f8
              • Opcode Fuzzy Hash: 121e3908fa5260c7663f38050afef91e7e1eff1eb31aaed711ef4019e0bbb2d8
              • Instruction Fuzzy Hash: 5E01007024C7D09EE315AFEA99927EE3AD5DB5F700F048464F100AAAE2C7B848808F61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A2724, Relevance: 1.3, Strings: 1, Instructions: 14COMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E000A2724(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x1c6040(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E000A289C(1);
					}
				}
				return _t6;
			}





              0x000a2727
              0x000a273e
              0x000a2729
              0x000a2729
              0x000a272f
              0x000a2733
              0x000a2737
              0x000a2737
              0x000a2733
              0x000a2743

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: P!
              • API String ID: 0-4290186079
              • Opcode ID: 382c5e31f57d16a4188be3d5a5c6b7656b9815a0870e278003af1a93c344b385
              • Instruction ID: 8bb81cf7096825d91731a04518ba5ff84630100b93d49d467f7c4f2298d8cf02
              • Opcode Fuzzy Hash: 382c5e31f57d16a4188be3d5a5c6b7656b9815a0870e278003af1a93c344b385
              • Instruction Fuzzy Hash: A6C09B6430D7034757643FFD1DD557F55C86F1A3053500035F901D6723DE45CD546661
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A2150, Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b22761d514393e5ca79010f5b77685f42d01a6dbb98b1c03f2e50e75f5cfe0e
              • Instruction ID: 0d705a3d7ed876027d04e2d2c42f9f7c11b057484529eae91f04001a24a049a7
              • Opcode Fuzzy Hash: 0b22761d514393e5ca79010f5b77685f42d01a6dbb98b1c03f2e50e75f5cfe0e
              • Instruction Fuzzy Hash: 7F41B2B1A08340AFE714CFECDCC166E77E0EB9A314F158279D4159BAA1D33499818F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A5DD0, Relevance: .1, Instructions: 98COMMON
              Download Yara Rule
              C-Code - Quality: 46%
              			E000A5DD0() {
				void* _t24;
				void* _t26;
				void* _t28;
				void* _t33;
				void* _t38;
				void* _t42;
				char* _t46;
				void* _t47;
				void* _t54;
				void* _t56;

				_push(0x105);
				_push( *((intOrPtr*)(_t56 - 4)));
				_push(_t56 - 0x11d);
				L000A12EC();
				_push(5);
				_t24 = _t56 - 0xd;
				_push(_t24);
				_push(3);
				L000A12D4();
				_push(_t24);
				L000A12AC();
				_t54 = 0;
				if( *((char*)(_t56 - 0x11d)) == 0 ||  *((char*)(_t56 - 0xd)) == 0 &&  *((char*)(_t56 - 0x12)) == 0) {
					L14:
					return _t54;
				} else {
					_t26 = _t56 - 0x11d;
					_push(_t26);
					L000A12F4();
					_t46 = _t26 + _t56 - 0x11d;
					L5:
					if( *_t46 != 0x2e && _t46 != _t56 - 0x11d) {
						_t46 = _t46 - 1;
						goto L5;
					}
					_t28 = _t56 - 0x11d;
					if(_t46 != _t28) {
						_t47 = _t46 + 1;
						if( *((char*)(_t56 - 0x12)) != 0) {
							_push(0x105 - _t47 - _t28);
							_push(_t56 - 0x12);
							_push(_t47);
							L000A12EC();
							_push(2);
							_push(0);
							_t42 = _t56 - 0x11d;
							_push(_t42);
							L000A12DC();
							_t54 = _t42;
						}
						if(_t54 == 0 &&  *((char*)(_t56 - 0xd)) != 0) {
							_push(0x105 - _t47 - _t56 - 0x11d);
							_push(_t56 - 0xd);
							_push(_t47);
							L000A12EC();
							_push(2);
							_push(0);
							_t33 = _t56 - 0x11d;
							_push(_t33); // executed
							L000A12DC(); // executed
							_t54 = _t33;
							if(_t54 == 0) {
								 *((char*)(_t56 - 0xb)) = 0;
								_push(0x105 - _t47 - _t56 - 0x11d);
								_push(_t56 - 0xd);
								_push(_t47);
								L000A12EC();
								_push(2);
								_push(0);
								_t38 = _t56 - 0x11d;
								_push(_t38); // executed
								L000A12DC(); // executed
								_t54 = _t38;
							}
						}
					}
					goto L14;
				}
			}













              0x000a5dd0
              0x000a5dd8
              0x000a5ddf
              0x000a5de0
              0x000a5de5
              0x000a5de7
              0x000a5dea
              0x000a5deb
              0x000a5ded
              0x000a5df2
              0x000a5df3
              0x000a5df8
              0x000a5e01
              0x000a5eea
              0x000a5ef1
              0x000a5e17
              0x000a5e17
              0x000a5e1d
              0x000a5e1e
              0x000a5e2b
              0x000a5e30
              0x000a5e33
              0x000a5e2f
              0x00000000
              0x000a5e2f
              0x000a5e3f
              0x000a5e47
              0x000a5e4d
              0x000a5e52
              0x000a5e5f
              0x000a5e63
              0x000a5e64
              0x000a5e65
              0x000a5e6a
              0x000a5e6c
              0x000a5e6e
              0x000a5e74
              0x000a5e75
              0x000a5e7a
              0x000a5e7a
              0x000a5e7e
              0x000a5e97
              0x000a5e9b
              0x000a5e9c
              0x000a5e9d
              0x000a5ea2
              0x000a5ea4
              0x000a5ea6
              0x000a5eac
              0x000a5ead
              0x000a5eb2
              0x000a5eb6
              0x000a5eb8
              0x000a5ecd
              0x000a5ed1
              0x000a5ed2
              0x000a5ed3
              0x000a5ed8
              0x000a5eda
              0x000a5edc
              0x000a5ee2
              0x000a5ee3
              0x000a5ee8
              0x000a5ee8
              0x000a5eb6
              0x000a5e7e
              0x00000000
              0x000a5e47

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: SOLUTION_EMBEDDEDSERVER$Software\Borland\Delphi\Locales$Software\Borland\Locales
              • API String ID: 0-4128219596
              • Opcode ID: 0cf124b659e39648331c8c566e953333273a93c6422db3474b12b148deea0d2f
              • Instruction ID: 00a9e7246efb8fa479983cadeeb5bb281c6e74308e0f9605804b6d034709bbed
              • Opcode Fuzzy Hash: 0cf124b659e39648331c8c566e953333273a93c6422db3474b12b148deea0d2f
              • Instruction Fuzzy Hash: E8318271E0065C7AEB29D6F8DC4AFDF7AEC9B45380F0441E5A604E6182E674CFA48B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0018B3B0, Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E0018B3B0() {
				void* _t13;
				intOrPtr* _t14;
				intOrPtr* _t18;
				intOrPtr _t19;
				signed int _t22;
				intOrPtr* _t23;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t41;
				void* _t42;
				void* _t54;

				L000A6E54();
				_t41 = _t13;
				_t26 = 0;
				_t42 = 0x1e;
				while(1) {
					_push(0x3e8); // executed
					L000AFC00(); // executed
					if(_t42 < 0x1e) {
						goto L9;
					}
					_t14 =  *0x1e9c5c; // 0x1f2580
					if( *((char*)( *_t14 + 0xdd60)) == 0) {
						L8:
						_t42 = 0;
						goto L9;
					}
					_t18 =  *0x1e9c5c; // 0x1f2580
					_t19 =  *_t18;
					if( *((char*)(_t19 + 0x178)) != 0) {
						goto L8;
					}
					L000A6E54();
					_t27 = 0x3c;
					_t22 = (_t19 - _t41) / 0x3e8 / 0x3c;
					_t34 =  *0x1e9b00; // 0x1f6e44
					if( *_t34 != 0) {
						_t37 =  *0x1e9c5c; // 0x1f2580
						_t11 =  *_t37 + 0xdd64; // 0x0
						_t27 =  *0x1e9b00; // 0x1f6e44
						 *_t27 =  *_t11 - _t22;
					}
					_t35 =  *0x1e9c5c; // 0x1f2580
					_t12 =  *_t35 + 0xdd64; // 0x0
					if(_t22 >=  *_t12) {
						_t23 =  *0x1e9b00; // 0x1f6e44
						 *_t23 = 0;
						L0018BB6C( *0x1f6b18, 4, _t41, _t42);
					}
					goto L8;
					L9:
					_t52 = _t26 - 0x3c;
					if(_t26 >= 0x3c) {
						L0018B190( *0x1f6b18, _t26, _t27, 4, _t41, _t42, _t52, _t54);
						_t26 = 0;
					}
					_t26 = _t26 + 1;
					_t42 = _t42 + 1;
				}
			}

















              0x0018b3b6
              0x0018b3bb
              0x0018b3bd
              0x0018b3bf
              0x0018b3c4
              0x0018b3c4
              0x0018b3c9
              0x0018b3d1
              0x00000000
              0x00000000
              0x0018b3d7
              0x0018b3e5
              0x0018b458
              0x0018b458
              0x00000000
              0x0018b458
              0x0018b3e7
              0x0018b3ec
              0x0018b3f5
              0x00000000
              0x00000000
              0x0018b3f7
              0x0018b407
              0x0018b40e
              0x0018b410
              0x0018b419
              0x0018b41b
              0x0018b423
              0x0018b42b
              0x0018b431
              0x0018b431
              0x0018b433
              0x0018b43b
              0x0018b441
              0x0018b443
              0x0018b44a
              0x0018b453
              0x0018b453
              0x00000000
              0x0018b45a
              0x0018b45a
              0x0018b45d
              0x0018b464
              0x0018b469
              0x0018b469
              0x0018b46b
              0x0018b46c
              0x0018b46c

              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd14c718171316eaee92940d077878b34e2cca5ea5264cbaf0e4b67493649003
              • Instruction ID: 02173bd9049bbe49f0f6d16a30dac8a9c6ced30b8995b214ce555747622a52b6
              • Opcode Fuzzy Hash: dd14c718171316eaee92940d077878b34e2cca5ea5264cbaf0e4b67493649003
              • Instruction Fuzzy Hash: 41119174748580CFD305EFA9D8C5A69B3E7BB8A300F548271E4098B7A6CF709D86CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A1710, Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 81%
              			E000A1710(signed int __eax, signed int* __ecx, intOrPtr __edx) {
				signed int _v20;
				signed int* _v24;
				intOrPtr* _v40;
				signed int _t15;
				intOrPtr* _t16;
				signed int _t17;
				signed int _t27;
				intOrPtr* _t29;
				signed int _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x1eb5ec; // 0xaa2dec
				while(_t29 != 0x1eb5ec) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_push(4);
						_push(0x1000);
						_push(_t27 - _t17);
						_push(_t17); // executed
						L000A13A8(); // executed
						if(_t15 == 0) {
							_t16 = _v40;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}













              0x000a1717
              0x000a171b
              0x000a1722
              0x000a1737
              0x000a173f
              0x000a1745
              0x000a174b
              0x000a174e
              0x000a1792
              0x000a1756
              0x000a175c
              0x000a1760
              0x000a1762
              0x000a1762
              0x000a1768
              0x000a176a
              0x000a176a
              0x000a1770
              0x000a1772
              0x000a1774
              0x000a177b
              0x000a177c
              0x000a177d
              0x000a1784
              0x000a1786
              0x000a178c
              0x00000000
              0x000a178c
              0x000a1784
              0x000a1790
              0x000a1790
              0x000a17a1

              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0937dbc1a34ab26b0669caca4b5c18db267804f59c429de7810fe001359601a2
              • Instruction ID: 3df9ce35553b71551fe55ec28f3f7d764df5770ce22f229102da47762b4534b4
              • Opcode Fuzzy Hash: 0937dbc1a34ab26b0669caca4b5c18db267804f59c429de7810fe001359601a2
              • Instruction Fuzzy Hash: BB117C76A087019BC360DF69C980AAFB7E5EFC5760F15C52CE59897354D730AC448A91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A17A4, Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			E000A17A4(void* __eax, signed int* __ecx, void* __edx) {
				signed int _t7;
				signed int _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				signed int* _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x1eb5ec; // 0xaa2dec
				while(_t19 != 0x1eb5ec) {
					_t9 =  *(_t19 + 8);
					_t14 =  *((intOrPtr*)(_t19 + 0xc)) + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_push(0x4000);
						_push(_t14 - _t9);
						_push(_t9); // executed
						L000A13B0(); // executed
						if(_t7 == 0) {
							 *0x1eb5c8 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}









              0x000a17a8
              0x000a17b9
              0x000a17c0
              0x000a17c9
              0x000a17cd
              0x000a17d0
              0x000a17d3
              0x000a1813
              0x000a17db
              0x000a17e1
              0x000a17e6
              0x000a17e8
              0x000a17e8
              0x000a17ed
              0x000a17ef
              0x000a17ef
              0x000a17f3
              0x000a17f5
              0x000a17fc
              0x000a17fd
              0x000a17fe
              0x000a1805
              0x000a1807
              0x000a1807
              0x000a1805
              0x000a1811
              0x000a1811
              0x000a1820

              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5743595355f609a839f0a29252146db5dee6f9e7106765539cf2f6bab1361d79
              • Instruction ID: a8cbd01222597fabcc187dd99ab59c6ee2a113b6a0e0453285a1b7454905734e
              • Opcode Fuzzy Hash: 5743595355f609a839f0a29252146db5dee6f9e7106765539cf2f6bab1361d79
              • Instruction Fuzzy Hash: 7301F77760C6045BC3109FA8DCC0AAE77E8EF86360F15463CEA8497741D336AC428BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A157C, Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              C-Code - Quality: 61%
              			E000A157C(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _t2;
				intOrPtr* _t6;
				intOrPtr _t9;
				signed int _t12;

				_t2 = __eax;
				_t6 = __edx;
				if(__eax >= 0x100000) {
					_t12 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t12 = 0x100000;
				}
				 *(_t6 + 4) = _t12;
				_push(1);
				_push(0x2000);
				_push(_t12);
				_push(0); // executed
				L000A13A8(); // executed
				_t9 = _t2;
				 *_t6 = _t9;
				if(_t9 != 0) {
					_t2 = E000A1430(0x1eb5ec, _t6);
					if(_t2 == 0) {
						_push(0x8000);
						_push(0);
						_push( *_t6);
						L000A13B0();
						 *_t6 = 0;
						return 0;
					}
				}
				return _t2;
			}







              0x000a157c
              0x000a157f
              0x000a1589
              0x000a1598
              0x000a158b
              0x000a158b
              0x000a158b
              0x000a159e
              0x000a15a1
              0x000a15a3
              0x000a15a8
              0x000a15a9
              0x000a15ab
              0x000a15b0
              0x000a15b2
              0x000a15b6
              0x000a15bf
              0x000a15c6
              0x000a15c8
              0x000a15cd
              0x000a15d1
              0x000a15d2
              0x000a15d9
              0x00000000
              0x000a15d9
              0x000a15c6
              0x000a15de

              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba64ea212adb7789b5eb3c74e2da22ab0e753570014c6edca927e3d7c60b6a21
              • Instruction ID: 46c0abcff8e54cf27606c570806e331d82ca7f3ed887ea63f3b19b251b979133
              • Opcode Fuzzy Hash: ba64ea212adb7789b5eb3c74e2da22ab0e753570014c6edca927e3d7c60b6a21
              • Instruction Fuzzy Hash: E2F02773F00A2097EB209AFA0D81BD65AD59FCB790F144170FA49EF3CAE6A18C0043A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A5A88, Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E000A5A88(void* __eax) {
				char _v272;
				intOrPtr _t13;
				void* _t15;
				intOrPtr _t17;
				intOrPtr _t18;

				_t15 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_push(0x105);
					_push( &_v272);
					_t3 = _t15 + 4; // 0x70000
					_push( *_t3);
					L000A12B4();
					_t13 = E000A5CC4(_t18); // executed
					_t17 = _t13;
					 *((intOrPtr*)(_t15 + 0x10)) = _t17;
					if(_t17 == 0) {
						_t5 = _t15 + 4; // 0x70000
						 *((intOrPtr*)(_t15 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t15 + 0x10; // 0x70000
				return  *_t7;
			}








              0x000a5a90
              0x000a5a96
              0x000a5a98
              0x000a5aa1
              0x000a5aa2
              0x000a5aa5
              0x000a5aa6
              0x000a5aaf
              0x000a5ab4
              0x000a5ab6
              0x000a5abb
              0x000a5abd
              0x000a5ac0
              0x000a5ac0
              0x000a5abb
              0x000a5ac3
              0x000a5ace

              Memory Dump Source
              • Source File: 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000001.00000002.556251498.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556280268.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556290962.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000001.00000002.556887472.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556900203.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.556948094.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557236018.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000001.00000002.557244078.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88cc3a463696effd8e4d9ba0a510c8e7b78cae650f1ce96a5ec041622c2e4f28
              • Instruction ID: fd79b517d5f2c4eb6d96593d1a3f1bda0f5faa87980ead7665a36c0e20983b64
              • Opcode Fuzzy Hash: 88cc3a463696effd8e4d9ba0a510c8e7b78cae650f1ce96a5ec041622c2e4f28
              • Instruction Fuzzy Hash: EEE03971A007109BCB50DE9898C1A8233D8AB09751F044A51AC58CF34AD3B0DD208BE1
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: Yandex.exe PID: 4420 Parent PID: 3352 Yandex.exeCOMMON

              Executed Functions

              Function 000A5CC4, Relevance: 3.9, Strings: 3, Instructions: 184COMMON
              Download Yara Rule
              C-Code - Quality: 38%
              			E000A5CC4(intOrPtr __eax) {
				intOrPtr _v8;
				char _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				char _v28;
				char _v289;
				char* _t42;
				char _t49;
				char _t51;
				char _t54;
				char* _t55;
				char* _t56;
				char* _t59;
				char* _t61;
				char* _t63;
				char* _t68;
				char* _t73;
				char* _t77;
				char* _t82;
				void* _t83;
				intOrPtr _t87;
				char* _t95;
				void* _t98;
				void* _t100;
				intOrPtr _t101;

				_t98 = _t100;
				_t101 = _t100 + 0xfffffee0;
				_v8 = __eax;
				_push(0x105);
				_push( &_v289);
				_push(0);
				L000A12B4();
				_v22 = 0;
				_t42 =  &_v12;
				_push(_t42);
				_push("SOLUTION_EMBEDDEDSERVER");
				_push(0);
				_push("Software\\Borland\\Locales");
				_push(0x80000001); // executed
				L000A130C(); // executed
				if(_t42 == 0) {
					L3:
					_push(_t98);
					_push(0xa5dc9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t101;
					_v28 = 5;
					E000A5B0C( &_v289, 0x105);
					_push( &_v28);
					_push( &_v22);
					_push(0);
					_push(0);
					_push( &_v289);
					_t49 = _v12;
					_push(_t49);
					L000A1314();
					if(_t49 != 0) {
						_push( &_v28);
						_push( &_v22);
						_push(0);
						_push(0);
						_push(E000A5F30);
						_t54 = _v12;
						_push(_t54);
						L000A1314();
						if(_t54 != 0) {
							_v22 = 0;
						}
					}
					_v18 = 0;
					_pop(_t87);
					 *[fs:eax] = _t87;
					_push(E000A5DD0);
					_t51 = _v12;
					_push(_t51);
					L000A1304();
					return _t51;
				} else {
					_t55 =  &_v12;
					_push(_t55);
					_push("SOLUTION_EMBEDDEDSERVER");
					_push(0);
					_push("Software\\Borland\\Locales");
					_push(0x80000002); // executed
					L000A130C(); // executed
					if(_t55 == 0) {
						goto L3;
					} else {
						_t56 =  &_v12;
						_push(_t56);
						_push("SOLUTION_EMBEDDEDSERVER");
						_push(0);
						_push("Software\\Borland\\Delphi\\Locales");
						_push(0x80000001); // executed
						L000A130C(); // executed
						if(_t56 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L000A12EC();
							_push(5);
							_t59 =  &_v17;
							_push(_t59);
							_push(3);
							L000A12D4();
							_push(_t59);
							L000A12AC();
							_t95 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t61 =  &_v289;
								_push(_t61);
								L000A12F4();
								_t82 = _t61 +  &_v289;
								while( *_t82 != 0x2e && _t82 !=  &_v289) {
									_t82 = _t82 - 1;
								}
								_t63 =  &_v289;
								if(_t82 != _t63) {
									_t83 = _t82 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t83 - _t63);
										_push( &_v22);
										_push(_t83);
										L000A12EC();
										_push(2);
										_push(0);
										_t77 =  &_v289;
										_push(_t77);
										L000A12DC();
										_t95 = _t77;
									}
									if(_t95 == 0 && _v17 != 0) {
										_push(0x105 - _t83 -  &_v289);
										_push( &_v17);
										_push(_t83);
										L000A12EC();
										_push(2);
										_push(0);
										_t68 =  &_v289;
										_push(_t68); // executed
										L000A12DC(); // executed
										_t95 = _t68;
										if(_t95 == 0) {
											_v15 = 0;
											_push(0x105 - _t83 -  &_v289);
											_push( &_v17);
											_push(_t83);
											L000A12EC();
											_push(2);
											_push(0);
											_t73 =  &_v289;
											_push(_t73); // executed
											L000A12DC(); // executed
											_t95 = _t73;
										}
									}
								}
							}
							return _t95;
						} else {
							goto L3;
						}
					}
				}
			}






























              0x000a5cc5
              0x000a5cc7
              0x000a5ccf
              0x000a5cd2
              0x000a5cdd
              0x000a5cde
              0x000a5ce0
              0x000a5ce5
              0x000a5ce9
              0x000a5cec
              0x000a5ced
              0x000a5cf2
              0x000a5cf4
              0x000a5cf9
              0x000a5cfe
              0x000a5d05
              0x000a5d47
              0x000a5d49
              0x000a5d4a
              0x000a5d4f
              0x000a5d52
              0x000a5d55
              0x000a5d67
              0x000a5d6f
              0x000a5d73
              0x000a5d74
              0x000a5d76
              0x000a5d7e
              0x000a5d7f
              0x000a5d82
              0x000a5d83
              0x000a5d8a
              0x000a5d8f
              0x000a5d93
              0x000a5d94
              0x000a5d96
              0x000a5d98
              0x000a5d9d
              0x000a5da0
              0x000a5da1
              0x000a5da8
              0x000a5daa
              0x000a5daa
              0x000a5da8
              0x000a5dae
              0x000a5db4
              0x000a5db7
              0x000a5dba
              0x000a5dbf
              0x000a5dc2
              0x000a5dc3
              0x000a5dc8
              0x000a5d07
              0x000a5d07
              0x000a5d0a
              0x000a5d0b
              0x000a5d10
              0x000a5d12
              0x000a5d17
              0x000a5d1c
              0x000a5d23
              0x00000000
              0x000a5d25
              0x000a5d25
              0x000a5d28
              0x000a5d29
              0x000a5d2e
              0x000a5d30
              0x000a5d35
              0x000a5d3a
              0x000a5d41
              0x000a5dd0
              0x000a5dd8
              0x000a5ddf
              0x000a5de0
              0x000a5de5
              0x000a5de7
              0x000a5dea
              0x000a5deb
              0x000a5ded
              0x000a5df2
              0x000a5df3
              0x000a5df8
              0x000a5e01
              0x000a5e17
              0x000a5e1d
              0x000a5e1e
              0x000a5e2b
              0x000a5e30
              0x000a5e2f
              0x000a5e2f
              0x000a5e3f
              0x000a5e47
              0x000a5e4d
              0x000a5e52
              0x000a5e5f
              0x000a5e63
              0x000a5e64
              0x000a5e65
              0x000a5e6a
              0x000a5e6c
              0x000a5e6e
              0x000a5e74
              0x000a5e75
              0x000a5e7a
              0x000a5e7a
              0x000a5e7e
              0x000a5e97
              0x000a5e9b
              0x000a5e9c
              0x000a5e9d
              0x000a5ea2
              0x000a5ea4
              0x000a5ea6
              0x000a5eac
              0x000a5ead
              0x000a5eb2
              0x000a5eb6
              0x000a5eb8
              0x000a5ecd
              0x000a5ed1
              0x000a5ed2
              0x000a5ed3
              0x000a5ed8
              0x000a5eda
              0x000a5edc
              0x000a5ee2
              0x000a5ee3
              0x000a5ee8
              0x000a5ee8
              0x000a5eb6
              0x000a5e7e
              0x000a5e47
              0x000a5ef1
              0x00000000
              0x00000000
              0x00000000
              0x000a5d41
              0x000a5d23

              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: SOLUTION_EMBEDDEDSERVER$Software\Borland\Delphi\Locales$Software\Borland\Locales
              • API String ID: 0-4128219596
              • Opcode ID: 4bcd3ff6a37c1a410891e19db531d7c383ceaeca5ea7dd5bffa0bd7f551a1692
              • Instruction ID: f8f6dbaf6a88d4e6ff58a6c38242cc647118b49c8a84fa8d28a3eee188bd52a4
              • Opcode Fuzzy Hash: 4bcd3ff6a37c1a410891e19db531d7c383ceaeca5ea7dd5bffa0bd7f551a1692
              • Instruction Fuzzy Hash: E6515175A0064C7AEB25D6E48C46FEF7BECAB05741F4000A5BA04E6182EAB4DF548BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A1A64, Relevance: 1.3, Strings: 1, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 63%
              			E000A1A64() {
				intOrPtr _t10;
				signed int _t12;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push("�I ");
				_push( *[fs:edx]);
				 *[fs:edx] = _t22;
				_push(0x1eb5cc);
				L000A13B8();
				if( *0x1eb04d != 0) {
					_push(0x1eb5cc);
					L000A13C0();
				}
				E000A1428(0x1eb5ec);
				E000A1428(0x1eb5fc);
				_t10 = E000A1428(0x1eb628);
				_push(0xff8);
				_push(0); // executed
				L000A1398(); // executed
				 *0x1eb624 = _t10;
				if( *0x1eb624 != 0) {
					_t12 = 3;
					do {
						_t19 =  *0x1eb624; // 0xbc9320
						 *((intOrPtr*)(_t19 + _t12 * 4 - 0xc)) = 0;
						_t12 = _t12 + 1;
					} while (_t12 != 0x401);
					 *((intOrPtr*)(0x1eb610)) = 0x1eb60c;
					 *0x1eb60c = 0x1eb60c;
					 *0x1eb618 = 0x1eb60c;
					 *0x1eb5c4 = 1;
				}
				_pop(_t18);
				 *[fs:eax] = _t18;
				_push(E000A1B21);
				if( *0x1eb04d != 0) {
					_push(0x1eb5cc);
					L000A13C8();
					return 0;
				}
				return 0;
			}








              0x000a1a69
              0x000a1a6a
              0x000a1a6f
              0x000a1a72
              0x000a1a75
              0x000a1a7a
              0x000a1a86
              0x000a1a88
              0x000a1a8d
              0x000a1a8d
              0x000a1a97
              0x000a1aa1
              0x000a1aab
              0x000a1ab0
              0x000a1ab5
              0x000a1ab7
              0x000a1abc
              0x000a1ac8
              0x000a1aca
              0x000a1acf
              0x000a1acf
              0x000a1ad7
              0x000a1adb
              0x000a1adc
              0x000a1ae8
              0x000a1aeb
              0x000a1aed
              0x000a1af2
              0x000a1af2
              0x000a1afb
              0x000a1afe
              0x000a1b01
              0x000a1b0d
              0x000a1b0f
              0x000a1b14
              0x00000000
              0x000a1b14
              0x000a1b19

              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: I
              • API String ID: 0-4276371480
              • Opcode ID: 121e3908fa5260c7663f38050afef91e7e1eff1eb31aaed711ef4019e0bbb2d8
              • Instruction ID: 237f882b25c5d5e274468a2d0e7cd189f094dd50f3f4779c80cf88a40be7c5f8
              • Opcode Fuzzy Hash: 121e3908fa5260c7663f38050afef91e7e1eff1eb31aaed711ef4019e0bbb2d8
              • Instruction Fuzzy Hash: 5E01007024C7D09EE315AFEA99927EE3AD5DB5F700F048464F100AAAE2C7B848808F61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A2724, Relevance: 1.3, Strings: 1, Instructions: 14COMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E000A2724(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x1c6040(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E000A289C(1);
					}
				}
				return _t6;
			}





              0x000a2727
              0x000a273e
              0x000a2729
              0x000a2729
              0x000a272f
              0x000a2733
              0x000a2737
              0x000a2737
              0x000a2733
              0x000a2743

              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: P!
              • API String ID: 0-4290186079
              • Opcode ID: 382c5e31f57d16a4188be3d5a5c6b7656b9815a0870e278003af1a93c344b385
              • Instruction ID: 8bb81cf7096825d91731a04518ba5ff84630100b93d49d467f7c4f2298d8cf02
              • Opcode Fuzzy Hash: 382c5e31f57d16a4188be3d5a5c6b7656b9815a0870e278003af1a93c344b385
              • Instruction Fuzzy Hash: A6C09B6430D7034757643FFD1DD557F55C86F1A3053500035F901D6723DE45CD546661
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A2150, Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b22761d514393e5ca79010f5b77685f42d01a6dbb98b1c03f2e50e75f5cfe0e
              • Instruction ID: 0d705a3d7ed876027d04e2d2c42f9f7c11b057484529eae91f04001a24a049a7
              • Opcode Fuzzy Hash: 0b22761d514393e5ca79010f5b77685f42d01a6dbb98b1c03f2e50e75f5cfe0e
              • Instruction Fuzzy Hash: 7F41B2B1A08340AFE714CFECDCC166E77E0EB9A314F158279D4159BAA1D33499818F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A5DD0, Relevance: .1, Instructions: 98COMMON
              Download Yara Rule
              C-Code - Quality: 46%
              			E000A5DD0() {
				void* _t24;
				void* _t26;
				void* _t28;
				void* _t33;
				void* _t38;
				void* _t42;
				char* _t46;
				void* _t47;
				void* _t54;
				void* _t56;

				_push(0x105);
				_push( *((intOrPtr*)(_t56 - 4)));
				_push(_t56 - 0x11d);
				L000A12EC();
				_push(5);
				_t24 = _t56 - 0xd;
				_push(_t24);
				_push(3);
				L000A12D4();
				_push(_t24);
				L000A12AC();
				_t54 = 0;
				if( *((char*)(_t56 - 0x11d)) == 0 ||  *((char*)(_t56 - 0xd)) == 0 &&  *((char*)(_t56 - 0x12)) == 0) {
					L14:
					return _t54;
				} else {
					_t26 = _t56 - 0x11d;
					_push(_t26);
					L000A12F4();
					_t46 = _t26 + _t56 - 0x11d;
					L5:
					if( *_t46 != 0x2e && _t46 != _t56 - 0x11d) {
						_t46 = _t46 - 1;
						goto L5;
					}
					_t28 = _t56 - 0x11d;
					if(_t46 != _t28) {
						_t47 = _t46 + 1;
						if( *((char*)(_t56 - 0x12)) != 0) {
							_push(0x105 - _t47 - _t28);
							_push(_t56 - 0x12);
							_push(_t47);
							L000A12EC();
							_push(2);
							_push(0);
							_t42 = _t56 - 0x11d;
							_push(_t42);
							L000A12DC();
							_t54 = _t42;
						}
						if(_t54 == 0 &&  *((char*)(_t56 - 0xd)) != 0) {
							_push(0x105 - _t47 - _t56 - 0x11d);
							_push(_t56 - 0xd);
							_push(_t47);
							L000A12EC();
							_push(2);
							_push(0);
							_t33 = _t56 - 0x11d;
							_push(_t33); // executed
							L000A12DC(); // executed
							_t54 = _t33;
							if(_t54 == 0) {
								 *((char*)(_t56 - 0xb)) = 0;
								_push(0x105 - _t47 - _t56 - 0x11d);
								_push(_t56 - 0xd);
								_push(_t47);
								L000A12EC();
								_push(2);
								_push(0);
								_t38 = _t56 - 0x11d;
								_push(_t38); // executed
								L000A12DC(); // executed
								_t54 = _t38;
							}
						}
					}
					goto L14;
				}
			}













              0x000a5dd0
              0x000a5dd8
              0x000a5ddf
              0x000a5de0
              0x000a5de5
              0x000a5de7
              0x000a5dea
              0x000a5deb
              0x000a5ded
              0x000a5df2
              0x000a5df3
              0x000a5df8
              0x000a5e01
              0x000a5eea
              0x000a5ef1
              0x000a5e17
              0x000a5e17
              0x000a5e1d
              0x000a5e1e
              0x000a5e2b
              0x000a5e30
              0x000a5e33
              0x000a5e2f
              0x00000000
              0x000a5e2f
              0x000a5e3f
              0x000a5e47
              0x000a5e4d
              0x000a5e52
              0x000a5e5f
              0x000a5e63
              0x000a5e64
              0x000a5e65
              0x000a5e6a
              0x000a5e6c
              0x000a5e6e
              0x000a5e74
              0x000a5e75
              0x000a5e7a
              0x000a5e7a
              0x000a5e7e
              0x000a5e97
              0x000a5e9b
              0x000a5e9c
              0x000a5e9d
              0x000a5ea2
              0x000a5ea4
              0x000a5ea6
              0x000a5eac
              0x000a5ead
              0x000a5eb2
              0x000a5eb6
              0x000a5eb8
              0x000a5ecd
              0x000a5ed1
              0x000a5ed2
              0x000a5ed3
              0x000a5ed8
              0x000a5eda
              0x000a5edc
              0x000a5ee2
              0x000a5ee3
              0x000a5ee8
              0x000a5ee8
              0x000a5eb6
              0x000a5e7e
              0x00000000
              0x000a5e47

              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: SOLUTION_EMBEDDEDSERVER$Software\Borland\Delphi\Locales$Software\Borland\Locales
              • API String ID: 0-4128219596
              • Opcode ID: 0cf124b659e39648331c8c566e953333273a93c6422db3474b12b148deea0d2f
              • Instruction ID: 00a9e7246efb8fa479983cadeeb5bb281c6e74308e0f9605804b6d034709bbed
              • Opcode Fuzzy Hash: 0cf124b659e39648331c8c566e953333273a93c6422db3474b12b148deea0d2f
              • Instruction Fuzzy Hash: E8318271E0065C7AEB29D6F8DC4AFDF7AEC9B45380F0441E5A604E6182E674CFA48B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0018B3B0, Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E0018B3B0() {
				void* _t13;
				intOrPtr* _t14;
				intOrPtr* _t18;
				intOrPtr _t19;
				signed int _t22;
				intOrPtr* _t23;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t41;
				void* _t42;
				void* _t54;

				L000A6E54();
				_t41 = _t13;
				_t26 = 0;
				_t42 = 0x1e;
				while(1) {
					_push(0x3e8); // executed
					L000AFC00(); // executed
					if(_t42 < 0x1e) {
						goto L9;
					}
					_t14 =  *0x1e9c5c; // 0x1f2580
					if( *((char*)( *_t14 + 0xdd60)) == 0) {
						L8:
						_t42 = 0;
						goto L9;
					}
					_t18 =  *0x1e9c5c; // 0x1f2580
					_t19 =  *_t18;
					if( *((char*)(_t19 + 0x178)) != 0) {
						goto L8;
					}
					L000A6E54();
					_t27 = 0x3c;
					_t22 = (_t19 - _t41) / 0x3e8 / 0x3c;
					_t34 =  *0x1e9b00; // 0x1f6e44
					if( *_t34 != 0) {
						_t37 =  *0x1e9c5c; // 0x1f2580
						_t11 =  *_t37 + 0xdd64; // 0x0
						_t27 =  *0x1e9b00; // 0x1f6e44
						 *_t27 =  *_t11 - _t22;
					}
					_t35 =  *0x1e9c5c; // 0x1f2580
					_t12 =  *_t35 + 0xdd64; // 0x0
					if(_t22 >=  *_t12) {
						_t23 =  *0x1e9b00; // 0x1f6e44
						 *_t23 = 0;
						L0018BB6C( *0x1f6b18, 4, _t41, _t42);
					}
					goto L8;
					L9:
					_t52 = _t26 - 0x3c;
					if(_t26 >= 0x3c) {
						L0018B190( *0x1f6b18, _t26, _t27, 4, _t41, _t42, _t52, _t54);
						_t26 = 0;
					}
					_t26 = _t26 + 1;
					_t42 = _t42 + 1;
				}
			}

















              0x0018b3b6
              0x0018b3bb
              0x0018b3bd
              0x0018b3bf
              0x0018b3c4
              0x0018b3c4
              0x0018b3c9
              0x0018b3d1
              0x00000000
              0x00000000
              0x0018b3d7
              0x0018b3e5
              0x0018b458
              0x0018b458
              0x00000000
              0x0018b458
              0x0018b3e7
              0x0018b3ec
              0x0018b3f5
              0x00000000
              0x00000000
              0x0018b3f7
              0x0018b407
              0x0018b40e
              0x0018b410
              0x0018b419
              0x0018b41b
              0x0018b423
              0x0018b42b
              0x0018b431
              0x0018b431
              0x0018b433
              0x0018b43b
              0x0018b441
              0x0018b443
              0x0018b44a
              0x0018b453
              0x0018b453
              0x00000000
              0x0018b45a
              0x0018b45a
              0x0018b45d
              0x0018b464
              0x0018b469
              0x0018b469
              0x0018b46b
              0x0018b46c
              0x0018b46c

              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd14c718171316eaee92940d077878b34e2cca5ea5264cbaf0e4b67493649003
              • Instruction ID: 02173bd9049bbe49f0f6d16a30dac8a9c6ced30b8995b214ce555747622a52b6
              • Opcode Fuzzy Hash: dd14c718171316eaee92940d077878b34e2cca5ea5264cbaf0e4b67493649003
              • Instruction Fuzzy Hash: 41119174748580CFD305EFA9D8C5A69B3E7BB8A300F548271E4098B7A6CF709D86CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A1710, Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E000A1710(signed int __eax, signed int* __ecx, intOrPtr __edx) {
				signed int _v20;
				signed int* _v24;
				intOrPtr* _v40;
				signed int _t15;
				intOrPtr* _t16;
				signed int _t17;
				signed int _t27;
				intOrPtr* _t29;
				signed int _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x1eb5ec; // 0xbca954
				while(_t29 != 0x1eb5ec) {
					_t7 = _t29 + 8; // 0x2e60000
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x100000
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_push(4);
						_push(0x1000);
						_push(_t27 - _t17);
						_push(_t17); // executed
						L000A13A8(); // executed
						if(_t15 == 0) {
							_t16 = _v40;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}













              0x000a1717
              0x000a171b
              0x000a1722
              0x000a1737
              0x000a173f
              0x000a1745
              0x000a174b
              0x000a174e
              0x000a1792
              0x000a1756
              0x000a1756
              0x000a1759
              0x000a175c
              0x000a1760
              0x000a1762
              0x000a1762
              0x000a1768
              0x000a176a
              0x000a176a
              0x000a1770
              0x000a1772
              0x000a1774
              0x000a177b
              0x000a177c
              0x000a177d
              0x000a1784
              0x000a1786
              0x000a178c
              0x00000000
              0x000a178c
              0x000a1784
              0x000a1790
              0x000a1790
              0x000a17a1

              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0937dbc1a34ab26b0669caca4b5c18db267804f59c429de7810fe001359601a2
              • Instruction ID: 3df9ce35553b71551fe55ec28f3f7d764df5770ce22f229102da47762b4534b4
              • Opcode Fuzzy Hash: 0937dbc1a34ab26b0669caca4b5c18db267804f59c429de7810fe001359601a2
              • Instruction Fuzzy Hash: BB117C76A087019BC360DF69C980AAFB7E5EFC5760F15C52CE59897354D730AC448A91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A17A4, Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E000A17A4(void* __eax, signed int* __ecx, void* __edx) {
				signed int _t7;
				signed int _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				signed int* _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x1eb5ec; // 0xbca954
				while(_t19 != 0x1eb5ec) {
					_t2 = _t19 + 8; // 0x2e60000
					_t9 =  *_t2;
					_t3 = _t19 + 0xc; // 0x100000
					_t14 =  *_t3 + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_push(0x4000);
						_push(_t14 - _t9);
						_push(_t9); // executed
						L000A13B0(); // executed
						if(_t7 == 0) {
							 *0x1eb5c8 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}









              0x000a17a8
              0x000a17b9
              0x000a17c0
              0x000a17c9
              0x000a17cd
              0x000a17d0
              0x000a17d3
              0x000a1813
              0x000a17db
              0x000a17db
              0x000a17de
              0x000a17e1
              0x000a17e6
              0x000a17e8
              0x000a17e8
              0x000a17ed
              0x000a17ef
              0x000a17ef
              0x000a17f3
              0x000a17f5
              0x000a17fc
              0x000a17fd
              0x000a17fe
              0x000a1805
              0x000a1807
              0x000a1807
              0x000a1805
              0x000a1811
              0x000a1811
              0x000a1820

              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5743595355f609a839f0a29252146db5dee6f9e7106765539cf2f6bab1361d79
              • Instruction ID: a8cbd01222597fabcc187dd99ab59c6ee2a113b6a0e0453285a1b7454905734e
              • Opcode Fuzzy Hash: 5743595355f609a839f0a29252146db5dee6f9e7106765539cf2f6bab1361d79
              • Instruction Fuzzy Hash: 7301F77760C6045BC3109FA8DCC0AAE77E8EF86360F15463CEA8497741D336AC428BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A157C, Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              C-Code - Quality: 61%
              			E000A157C(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _t2;
				intOrPtr* _t6;
				intOrPtr _t9;
				signed int _t12;

				_t2 = __eax;
				_t6 = __edx;
				if(__eax >= 0x100000) {
					_t12 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t12 = 0x100000;
				}
				 *(_t6 + 4) = _t12;
				_push(1);
				_push(0x2000);
				_push(_t12);
				_push(0); // executed
				L000A13A8(); // executed
				_t9 = _t2;
				 *_t6 = _t9;
				if(_t9 != 0) {
					_t2 = E000A1430(0x1eb5ec, _t6);
					if(_t2 == 0) {
						_push(0x8000);
						_push(0);
						_push( *_t6);
						L000A13B0();
						 *_t6 = 0;
						return 0;
					}
				}
				return _t2;
			}







              0x000a157c
              0x000a157f
              0x000a1589
              0x000a1598
              0x000a158b
              0x000a158b
              0x000a158b
              0x000a159e
              0x000a15a1
              0x000a15a3
              0x000a15a8
              0x000a15a9
              0x000a15ab
              0x000a15b0
              0x000a15b2
              0x000a15b6
              0x000a15bf
              0x000a15c6
              0x000a15c8
              0x000a15cd
              0x000a15d1
              0x000a15d2
              0x000a15d9
              0x00000000
              0x000a15d9
              0x000a15c6
              0x000a15de

              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba64ea212adb7789b5eb3c74e2da22ab0e753570014c6edca927e3d7c60b6a21
              • Instruction ID: 46c0abcff8e54cf27606c570806e331d82ca7f3ed887ea63f3b19b251b979133
              • Opcode Fuzzy Hash: ba64ea212adb7789b5eb3c74e2da22ab0e753570014c6edca927e3d7c60b6a21
              • Instruction Fuzzy Hash: E2F02773F00A2097EB209AFA0D81BD65AD59FCB790F144170FA49EF3CAE6A18C0043A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A5A88, Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E000A5A88(void* __eax) {
				char _v272;
				intOrPtr _t13;
				void* _t15;
				intOrPtr _t17;
				intOrPtr _t18;

				_t15 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_push(0x105);
					_push( &_v272);
					_t3 = _t15 + 4; // 0x70000
					_push( *_t3);
					L000A12B4();
					_t13 = E000A5CC4(_t18); // executed
					_t17 = _t13;
					 *((intOrPtr*)(_t15 + 0x10)) = _t17;
					if(_t17 == 0) {
						_t5 = _t15 + 4; // 0x70000
						 *((intOrPtr*)(_t15 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t15 + 0x10; // 0x70000
				return  *_t7;
			}








              0x000a5a90
              0x000a5a96
              0x000a5a98
              0x000a5aa1
              0x000a5aa2
              0x000a5aa5
              0x000a5aa6
              0x000a5aaf
              0x000a5ab4
              0x000a5ab6
              0x000a5abb
              0x000a5abd
              0x000a5ac0
              0x000a5ac0
              0x000a5abb
              0x000a5ac3
              0x000a5ace

              Memory Dump Source
              • Source File: 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000005.00000002.360774164.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360803398.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.360813231.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000005.00000002.362023075.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362042317.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362126911.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362767582.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000005.00000002.362774391.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88cc3a463696effd8e4d9ba0a510c8e7b78cae650f1ce96a5ec041622c2e4f28
              • Instruction ID: fd79b517d5f2c4eb6d96593d1a3f1bda0f5faa87980ead7665a36c0e20983b64
              • Opcode Fuzzy Hash: 88cc3a463696effd8e4d9ba0a510c8e7b78cae650f1ce96a5ec041622c2e4f28
              • Instruction Fuzzy Hash: EEE03971A007109BCB50DE9898C1A8233D8AB09751F044A51AC58CF34AD3B0DD208BE1
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: Yandex.exe PID: 4796 Parent PID: 3352 Yandex.exeCOMMON

              Executed Functions

              Function 000A5CC4, Relevance: 3.9, Strings: 3, Instructions: 184COMMON
              Download Yara Rule
              C-Code - Quality: 38%
              			E000A5CC4(intOrPtr __eax) {
				intOrPtr _v8;
				char _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				char _v28;
				char _v289;
				char* _t42;
				char _t49;
				char _t51;
				char _t54;
				char* _t55;
				char* _t56;
				char* _t59;
				char* _t61;
				char* _t63;
				char* _t68;
				char* _t73;
				char* _t77;
				char* _t82;
				void* _t83;
				intOrPtr _t87;
				char* _t95;
				void* _t98;
				void* _t100;
				intOrPtr _t101;

				_t98 = _t100;
				_t101 = _t100 + 0xfffffee0;
				_v8 = __eax;
				_push(0x105);
				_push( &_v289);
				_push(0);
				L000A12B4();
				_v22 = 0;
				_t42 =  &_v12;
				_push(_t42);
				_push("SOLUTION_EMBEDDEDSERVER");
				_push(0);
				_push("Software\\Borland\\Locales");
				_push(0x80000001); // executed
				L000A130C(); // executed
				if(_t42 == 0) {
					L3:
					_push(_t98);
					_push(0xa5dc9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t101;
					_v28 = 5;
					E000A5B0C( &_v289, 0x105);
					_push( &_v28);
					_push( &_v22);
					_push(0);
					_push(0);
					_push( &_v289);
					_t49 = _v12;
					_push(_t49);
					L000A1314();
					if(_t49 != 0) {
						_push( &_v28);
						_push( &_v22);
						_push(0);
						_push(0);
						_push(E000A5F30);
						_t54 = _v12;
						_push(_t54);
						L000A1314();
						if(_t54 != 0) {
							_v22 = 0;
						}
					}
					_v18 = 0;
					_pop(_t87);
					 *[fs:eax] = _t87;
					_push(E000A5DD0);
					_t51 = _v12;
					_push(_t51);
					L000A1304();
					return _t51;
				} else {
					_t55 =  &_v12;
					_push(_t55);
					_push("SOLUTION_EMBEDDEDSERVER");
					_push(0);
					_push("Software\\Borland\\Locales");
					_push(0x80000002); // executed
					L000A130C(); // executed
					if(_t55 == 0) {
						goto L3;
					} else {
						_t56 =  &_v12;
						_push(_t56);
						_push("SOLUTION_EMBEDDEDSERVER");
						_push(0);
						_push("Software\\Borland\\Delphi\\Locales");
						_push(0x80000001); // executed
						L000A130C(); // executed
						if(_t56 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L000A12EC();
							_push(5);
							_t59 =  &_v17;
							_push(_t59);
							_push(3);
							L000A12D4();
							_push(_t59);
							L000A12AC();
							_t95 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t61 =  &_v289;
								_push(_t61);
								L000A12F4();
								_t82 = _t61 +  &_v289;
								while( *_t82 != 0x2e && _t82 !=  &_v289) {
									_t82 = _t82 - 1;
								}
								_t63 =  &_v289;
								if(_t82 != _t63) {
									_t83 = _t82 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t83 - _t63);
										_push( &_v22);
										_push(_t83);
										L000A12EC();
										_push(2);
										_push(0);
										_t77 =  &_v289;
										_push(_t77);
										L000A12DC();
										_t95 = _t77;
									}
									if(_t95 == 0 && _v17 != 0) {
										_push(0x105 - _t83 -  &_v289);
										_push( &_v17);
										_push(_t83);
										L000A12EC();
										_push(2);
										_push(0);
										_t68 =  &_v289;
										_push(_t68); // executed
										L000A12DC(); // executed
										_t95 = _t68;
										if(_t95 == 0) {
											_v15 = 0;
											_push(0x105 - _t83 -  &_v289);
											_push( &_v17);
											_push(_t83);
											L000A12EC();
											_push(2);
											_push(0);
											_t73 =  &_v289;
											_push(_t73); // executed
											L000A12DC(); // executed
											_t95 = _t73;
										}
									}
								}
							}
							return _t95;
						} else {
							goto L3;
						}
					}
				}
			}






























              0x000a5cc5
              0x000a5cc7
              0x000a5ccf
              0x000a5cd2
              0x000a5cdd
              0x000a5cde
              0x000a5ce0
              0x000a5ce5
              0x000a5ce9
              0x000a5cec
              0x000a5ced
              0x000a5cf2
              0x000a5cf4
              0x000a5cf9
              0x000a5cfe
              0x000a5d05
              0x000a5d47
              0x000a5d49
              0x000a5d4a
              0x000a5d4f
              0x000a5d52
              0x000a5d55
              0x000a5d67
              0x000a5d6f
              0x000a5d73
              0x000a5d74
              0x000a5d76
              0x000a5d7e
              0x000a5d7f
              0x000a5d82
              0x000a5d83
              0x000a5d8a
              0x000a5d8f
              0x000a5d93
              0x000a5d94
              0x000a5d96
              0x000a5d98
              0x000a5d9d
              0x000a5da0
              0x000a5da1
              0x000a5da8
              0x000a5daa
              0x000a5daa
              0x000a5da8
              0x000a5dae
              0x000a5db4
              0x000a5db7
              0x000a5dba
              0x000a5dbf
              0x000a5dc2
              0x000a5dc3
              0x000a5dc8
              0x000a5d07
              0x000a5d07
              0x000a5d0a
              0x000a5d0b
              0x000a5d10
              0x000a5d12
              0x000a5d17
              0x000a5d1c
              0x000a5d23
              0x00000000
              0x000a5d25
              0x000a5d25
              0x000a5d28
              0x000a5d29
              0x000a5d2e
              0x000a5d30
              0x000a5d35
              0x000a5d3a
              0x000a5d41
              0x000a5dd0
              0x000a5dd8
              0x000a5ddf
              0x000a5de0
              0x000a5de5
              0x000a5de7
              0x000a5dea
              0x000a5deb
              0x000a5ded
              0x000a5df2
              0x000a5df3
              0x000a5df8
              0x000a5e01
              0x000a5e17
              0x000a5e1d
              0x000a5e1e
              0x000a5e2b
              0x000a5e30
              0x000a5e2f
              0x000a5e2f
              0x000a5e3f
              0x000a5e47
              0x000a5e4d
              0x000a5e52
              0x000a5e5f
              0x000a5e63
              0x000a5e64
              0x000a5e65
              0x000a5e6a
              0x000a5e6c
              0x000a5e6e
              0x000a5e74
              0x000a5e75
              0x000a5e7a
              0x000a5e7a
              0x000a5e7e
              0x000a5e97
              0x000a5e9b
              0x000a5e9c
              0x000a5e9d
              0x000a5ea2
              0x000a5ea4
              0x000a5ea6
              0x000a5eac
              0x000a5ead
              0x000a5eb2
              0x000a5eb6
              0x000a5eb8
              0x000a5ecd
              0x000a5ed1
              0x000a5ed2
              0x000a5ed3
              0x000a5ed8
              0x000a5eda
              0x000a5edc
              0x000a5ee2
              0x000a5ee3
              0x000a5ee8
              0x000a5ee8
              0x000a5eb6
              0x000a5e7e
              0x000a5e47
              0x000a5ef1
              0x00000000
              0x00000000
              0x00000000
              0x000a5d41
              0x000a5d23

              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: SOLUTION_EMBEDDEDSERVER$Software\Borland\Delphi\Locales$Software\Borland\Locales
              • API String ID: 0-4128219596
              • Opcode ID: 4bcd3ff6a37c1a410891e19db531d7c383ceaeca5ea7dd5bffa0bd7f551a1692
              • Instruction ID: f8f6dbaf6a88d4e6ff58a6c38242cc647118b49c8a84fa8d28a3eee188bd52a4
              • Opcode Fuzzy Hash: 4bcd3ff6a37c1a410891e19db531d7c383ceaeca5ea7dd5bffa0bd7f551a1692
              • Instruction Fuzzy Hash: E6515175A0064C7AEB25D6E48C46FEF7BECAB05741F4000A5BA04E6182EAB4DF548BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A1A64, Relevance: 1.3, Strings: 1, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 63%
              			E000A1A64() {
				intOrPtr _t10;
				signed int _t12;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push("�I ");
				_push( *[fs:edx]);
				 *[fs:edx] = _t22;
				_push(0x1eb5cc);
				L000A13B8();
				if( *0x1eb04d != 0) {
					_push(0x1eb5cc);
					L000A13C0();
				}
				E000A1428(0x1eb5ec);
				E000A1428(0x1eb5fc);
				_t10 = E000A1428(0x1eb628);
				_push(0xff8);
				_push(0); // executed
				L000A1398(); // executed
				 *0x1eb624 = _t10;
				if( *0x1eb624 != 0) {
					_t12 = 3;
					do {
						_t19 =  *0x1eb624; // 0xd392b8
						 *((intOrPtr*)(_t19 + _t12 * 4 - 0xc)) = 0;
						_t12 = _t12 + 1;
					} while (_t12 != 0x401);
					 *((intOrPtr*)(0x1eb610)) = 0x1eb60c;
					 *0x1eb60c = 0x1eb60c;
					 *0x1eb618 = 0x1eb60c;
					 *0x1eb5c4 = 1;
				}
				_pop(_t18);
				 *[fs:eax] = _t18;
				_push(E000A1B21);
				if( *0x1eb04d != 0) {
					_push(0x1eb5cc);
					L000A13C8();
					return 0;
				}
				return 0;
			}








              0x000a1a69
              0x000a1a6a
              0x000a1a6f
              0x000a1a72
              0x000a1a75
              0x000a1a7a
              0x000a1a86
              0x000a1a88
              0x000a1a8d
              0x000a1a8d
              0x000a1a97
              0x000a1aa1
              0x000a1aab
              0x000a1ab0
              0x000a1ab5
              0x000a1ab7
              0x000a1abc
              0x000a1ac8
              0x000a1aca
              0x000a1acf
              0x000a1acf
              0x000a1ad7
              0x000a1adb
              0x000a1adc
              0x000a1ae8
              0x000a1aeb
              0x000a1aed
              0x000a1af2
              0x000a1af2
              0x000a1afb
              0x000a1afe
              0x000a1b01
              0x000a1b0d
              0x000a1b0f
              0x000a1b14
              0x00000000
              0x000a1b14
              0x000a1b19

              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: I
              • API String ID: 0-4276371480
              • Opcode ID: 121e3908fa5260c7663f38050afef91e7e1eff1eb31aaed711ef4019e0bbb2d8
              • Instruction ID: 237f882b25c5d5e274468a2d0e7cd189f094dd50f3f4779c80cf88a40be7c5f8
              • Opcode Fuzzy Hash: 121e3908fa5260c7663f38050afef91e7e1eff1eb31aaed711ef4019e0bbb2d8
              • Instruction Fuzzy Hash: 5E01007024C7D09EE315AFEA99927EE3AD5DB5F700F048464F100AAAE2C7B848808F61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A2724, Relevance: 1.3, Strings: 1, Instructions: 14COMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E000A2724(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x1c6040(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E000A289C(1);
					}
				}
				return _t6;
			}





              0x000a2727
              0x000a273e
              0x000a2729
              0x000a2729
              0x000a272f
              0x000a2733
              0x000a2737
              0x000a2737
              0x000a2733
              0x000a2743

              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: P!
              • API String ID: 0-4290186079
              • Opcode ID: 382c5e31f57d16a4188be3d5a5c6b7656b9815a0870e278003af1a93c344b385
              • Instruction ID: 8bb81cf7096825d91731a04518ba5ff84630100b93d49d467f7c4f2298d8cf02
              • Opcode Fuzzy Hash: 382c5e31f57d16a4188be3d5a5c6b7656b9815a0870e278003af1a93c344b385
              • Instruction Fuzzy Hash: A6C09B6430D7034757643FFD1DD557F55C86F1A3053500035F901D6723DE45CD546661
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A2150, Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b22761d514393e5ca79010f5b77685f42d01a6dbb98b1c03f2e50e75f5cfe0e
              • Instruction ID: 0d705a3d7ed876027d04e2d2c42f9f7c11b057484529eae91f04001a24a049a7
              • Opcode Fuzzy Hash: 0b22761d514393e5ca79010f5b77685f42d01a6dbb98b1c03f2e50e75f5cfe0e
              • Instruction Fuzzy Hash: 7F41B2B1A08340AFE714CFECDCC166E77E0EB9A314F158279D4159BAA1D33499818F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A5DD0, Relevance: .1, Instructions: 98COMMON
              Download Yara Rule
              C-Code - Quality: 46%
              			E000A5DD0() {
				void* _t24;
				void* _t26;
				void* _t28;
				void* _t33;
				void* _t38;
				void* _t42;
				char* _t46;
				void* _t47;
				void* _t54;
				void* _t56;

				_push(0x105);
				_push( *((intOrPtr*)(_t56 - 4)));
				_push(_t56 - 0x11d);
				L000A12EC();
				_push(5);
				_t24 = _t56 - 0xd;
				_push(_t24);
				_push(3);
				L000A12D4();
				_push(_t24);
				L000A12AC();
				_t54 = 0;
				if( *((char*)(_t56 - 0x11d)) == 0 ||  *((char*)(_t56 - 0xd)) == 0 &&  *((char*)(_t56 - 0x12)) == 0) {
					L14:
					return _t54;
				} else {
					_t26 = _t56 - 0x11d;
					_push(_t26);
					L000A12F4();
					_t46 = _t26 + _t56 - 0x11d;
					L5:
					if( *_t46 != 0x2e && _t46 != _t56 - 0x11d) {
						_t46 = _t46 - 1;
						goto L5;
					}
					_t28 = _t56 - 0x11d;
					if(_t46 != _t28) {
						_t47 = _t46 + 1;
						if( *((char*)(_t56 - 0x12)) != 0) {
							_push(0x105 - _t47 - _t28);
							_push(_t56 - 0x12);
							_push(_t47);
							L000A12EC();
							_push(2);
							_push(0);
							_t42 = _t56 - 0x11d;
							_push(_t42);
							L000A12DC();
							_t54 = _t42;
						}
						if(_t54 == 0 &&  *((char*)(_t56 - 0xd)) != 0) {
							_push(0x105 - _t47 - _t56 - 0x11d);
							_push(_t56 - 0xd);
							_push(_t47);
							L000A12EC();
							_push(2);
							_push(0);
							_t33 = _t56 - 0x11d;
							_push(_t33); // executed
							L000A12DC(); // executed
							_t54 = _t33;
							if(_t54 == 0) {
								 *((char*)(_t56 - 0xb)) = 0;
								_push(0x105 - _t47 - _t56 - 0x11d);
								_push(_t56 - 0xd);
								_push(_t47);
								L000A12EC();
								_push(2);
								_push(0);
								_t38 = _t56 - 0x11d;
								_push(_t38); // executed
								L000A12DC(); // executed
								_t54 = _t38;
							}
						}
					}
					goto L14;
				}
			}













              0x000a5dd0
              0x000a5dd8
              0x000a5ddf
              0x000a5de0
              0x000a5de5
              0x000a5de7
              0x000a5dea
              0x000a5deb
              0x000a5ded
              0x000a5df2
              0x000a5df3
              0x000a5df8
              0x000a5e01
              0x000a5eea
              0x000a5ef1
              0x000a5e17
              0x000a5e17
              0x000a5e1d
              0x000a5e1e
              0x000a5e2b
              0x000a5e30
              0x000a5e33
              0x000a5e2f
              0x00000000
              0x000a5e2f
              0x000a5e3f
              0x000a5e47
              0x000a5e4d
              0x000a5e52
              0x000a5e5f
              0x000a5e63
              0x000a5e64
              0x000a5e65
              0x000a5e6a
              0x000a5e6c
              0x000a5e6e
              0x000a5e74
              0x000a5e75
              0x000a5e7a
              0x000a5e7a
              0x000a5e7e
              0x000a5e97
              0x000a5e9b
              0x000a5e9c
              0x000a5e9d
              0x000a5ea2
              0x000a5ea4
              0x000a5ea6
              0x000a5eac
              0x000a5ead
              0x000a5eb2
              0x000a5eb6
              0x000a5eb8
              0x000a5ecd
              0x000a5ed1
              0x000a5ed2
              0x000a5ed3
              0x000a5ed8
              0x000a5eda
              0x000a5edc
              0x000a5ee2
              0x000a5ee3
              0x000a5ee8
              0x000a5ee8
              0x000a5eb6
              0x000a5e7e
              0x00000000
              0x000a5e47

              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: SOLUTION_EMBEDDEDSERVER$Software\Borland\Delphi\Locales$Software\Borland\Locales
              • API String ID: 0-4128219596
              • Opcode ID: 0cf124b659e39648331c8c566e953333273a93c6422db3474b12b148deea0d2f
              • Instruction ID: 00a9e7246efb8fa479983cadeeb5bb281c6e74308e0f9605804b6d034709bbed
              • Opcode Fuzzy Hash: 0cf124b659e39648331c8c566e953333273a93c6422db3474b12b148deea0d2f
              • Instruction Fuzzy Hash: E8318271E0065C7AEB29D6F8DC4AFDF7AEC9B45380F0441E5A604E6182E674CFA48B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0018B3B0, Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E0018B3B0() {
				void* _t13;
				intOrPtr* _t14;
				intOrPtr* _t18;
				intOrPtr _t19;
				signed int _t22;
				intOrPtr* _t23;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t41;
				void* _t42;
				void* _t54;

				L000A6E54();
				_t41 = _t13;
				_t26 = 0;
				_t42 = 0x1e;
				while(1) {
					_push(0x3e8); // executed
					L000AFC00(); // executed
					if(_t42 < 0x1e) {
						goto L9;
					}
					_t14 =  *0x1e9c5c; // 0x1f2580
					if( *((char*)( *_t14 + 0xdd60)) == 0) {
						L8:
						_t42 = 0;
						goto L9;
					}
					_t18 =  *0x1e9c5c; // 0x1f2580
					_t19 =  *_t18;
					if( *((char*)(_t19 + 0x178)) != 0) {
						goto L8;
					}
					L000A6E54();
					_t27 = 0x3c;
					_t22 = (_t19 - _t41) / 0x3e8 / 0x3c;
					_t34 =  *0x1e9b00; // 0x1f6e44
					if( *_t34 != 0) {
						_t37 =  *0x1e9c5c; // 0x1f2580
						_t11 =  *_t37 + 0xdd64; // 0x0
						_t27 =  *0x1e9b00; // 0x1f6e44
						 *_t27 =  *_t11 - _t22;
					}
					_t35 =  *0x1e9c5c; // 0x1f2580
					_t12 =  *_t35 + 0xdd64; // 0x0
					if(_t22 >=  *_t12) {
						_t23 =  *0x1e9b00; // 0x1f6e44
						 *_t23 = 0;
						L0018BB6C( *0x1f6b18, 4, _t41, _t42);
					}
					goto L8;
					L9:
					_t52 = _t26 - 0x3c;
					if(_t26 >= 0x3c) {
						L0018B190( *0x1f6b18, _t26, _t27, 4, _t41, _t42, _t52, _t54);
						_t26 = 0;
					}
					_t26 = _t26 + 1;
					_t42 = _t42 + 1;
				}
			}

















              0x0018b3b6
              0x0018b3bb
              0x0018b3bd
              0x0018b3bf
              0x0018b3c4
              0x0018b3c4
              0x0018b3c9
              0x0018b3d1
              0x00000000
              0x00000000
              0x0018b3d7
              0x0018b3e5
              0x0018b458
              0x0018b458
              0x00000000
              0x0018b458
              0x0018b3e7
              0x0018b3ec
              0x0018b3f5
              0x00000000
              0x00000000
              0x0018b3f7
              0x0018b407
              0x0018b40e
              0x0018b410
              0x0018b419
              0x0018b41b
              0x0018b423
              0x0018b42b
              0x0018b431
              0x0018b431
              0x0018b433
              0x0018b43b
              0x0018b441
              0x0018b443
              0x0018b44a
              0x0018b453
              0x0018b453
              0x00000000
              0x0018b45a
              0x0018b45a
              0x0018b45d
              0x0018b464
              0x0018b469
              0x0018b469
              0x0018b46b
              0x0018b46c
              0x0018b46c

              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd14c718171316eaee92940d077878b34e2cca5ea5264cbaf0e4b67493649003
              • Instruction ID: 02173bd9049bbe49f0f6d16a30dac8a9c6ced30b8995b214ce555747622a52b6
              • Opcode Fuzzy Hash: dd14c718171316eaee92940d077878b34e2cca5ea5264cbaf0e4b67493649003
              • Instruction Fuzzy Hash: 41119174748580CFD305EFA9D8C5A69B3E7BB8A300F548271E4098B7A6CF709D86CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A1710, Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E000A1710(signed int __eax, signed int* __ecx, intOrPtr __edx) {
				signed int _v20;
				signed int* _v24;
				intOrPtr* _v40;
				signed int _t15;
				intOrPtr* _t16;
				signed int _t17;
				signed int _t27;
				intOrPtr* _t29;
				signed int _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x1eb5ec; // 0xd3a8ec
				while(_t29 != 0x1eb5ec) {
					_t7 = _t29 + 8; // 0x2da0000
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x100000
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_push(4);
						_push(0x1000);
						_push(_t27 - _t17);
						_push(_t17); // executed
						L000A13A8(); // executed
						if(_t15 == 0) {
							_t16 = _v40;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}













              0x000a1717
              0x000a171b
              0x000a1722
              0x000a1737
              0x000a173f
              0x000a1745
              0x000a174b
              0x000a174e
              0x000a1792
              0x000a1756
              0x000a1756
              0x000a1759
              0x000a175c
              0x000a1760
              0x000a1762
              0x000a1762
              0x000a1768
              0x000a176a
              0x000a176a
              0x000a1770
              0x000a1772
              0x000a1774
              0x000a177b
              0x000a177c
              0x000a177d
              0x000a1784
              0x000a1786
              0x000a178c
              0x00000000
              0x000a178c
              0x000a1784
              0x000a1790
              0x000a1790
              0x000a17a1

              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0937dbc1a34ab26b0669caca4b5c18db267804f59c429de7810fe001359601a2
              • Instruction ID: 3df9ce35553b71551fe55ec28f3f7d764df5770ce22f229102da47762b4534b4
              • Opcode Fuzzy Hash: 0937dbc1a34ab26b0669caca4b5c18db267804f59c429de7810fe001359601a2
              • Instruction Fuzzy Hash: BB117C76A087019BC360DF69C980AAFB7E5EFC5760F15C52CE59897354D730AC448A91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A17A4, Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E000A17A4(void* __eax, signed int* __ecx, void* __edx) {
				signed int _t7;
				signed int _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				signed int* _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x1eb5ec; // 0xd3a8ec
				while(_t19 != 0x1eb5ec) {
					_t2 = _t19 + 8; // 0x2da0000
					_t9 =  *_t2;
					_t3 = _t19 + 0xc; // 0x100000
					_t14 =  *_t3 + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_push(0x4000);
						_push(_t14 - _t9);
						_push(_t9); // executed
						L000A13B0(); // executed
						if(_t7 == 0) {
							 *0x1eb5c8 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}









              0x000a17a8
              0x000a17b9
              0x000a17c0
              0x000a17c9
              0x000a17cd
              0x000a17d0
              0x000a17d3
              0x000a1813
              0x000a17db
              0x000a17db
              0x000a17de
              0x000a17e1
              0x000a17e6
              0x000a17e8
              0x000a17e8
              0x000a17ed
              0x000a17ef
              0x000a17ef
              0x000a17f3
              0x000a17f5
              0x000a17fc
              0x000a17fd
              0x000a17fe
              0x000a1805
              0x000a1807
              0x000a1807
              0x000a1805
              0x000a1811
              0x000a1811
              0x000a1820

              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5743595355f609a839f0a29252146db5dee6f9e7106765539cf2f6bab1361d79
              • Instruction ID: a8cbd01222597fabcc187dd99ab59c6ee2a113b6a0e0453285a1b7454905734e
              • Opcode Fuzzy Hash: 5743595355f609a839f0a29252146db5dee6f9e7106765539cf2f6bab1361d79
              • Instruction Fuzzy Hash: 7301F77760C6045BC3109FA8DCC0AAE77E8EF86360F15463CEA8497741D336AC428BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A157C, Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              C-Code - Quality: 61%
              			E000A157C(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _t2;
				intOrPtr* _t6;
				intOrPtr _t9;
				signed int _t12;

				_t2 = __eax;
				_t6 = __edx;
				if(__eax >= 0x100000) {
					_t12 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t12 = 0x100000;
				}
				 *(_t6 + 4) = _t12;
				_push(1);
				_push(0x2000);
				_push(_t12);
				_push(0); // executed
				L000A13A8(); // executed
				_t9 = _t2;
				 *_t6 = _t9;
				if(_t9 != 0) {
					_t2 = E000A1430(0x1eb5ec, _t6);
					if(_t2 == 0) {
						_push(0x8000);
						_push(0);
						_push( *_t6);
						L000A13B0();
						 *_t6 = 0;
						return 0;
					}
				}
				return _t2;
			}







              0x000a157c
              0x000a157f
              0x000a1589
              0x000a1598
              0x000a158b
              0x000a158b
              0x000a158b
              0x000a159e
              0x000a15a1
              0x000a15a3
              0x000a15a8
              0x000a15a9
              0x000a15ab
              0x000a15b0
              0x000a15b2
              0x000a15b6
              0x000a15bf
              0x000a15c6
              0x000a15c8
              0x000a15cd
              0x000a15d1
              0x000a15d2
              0x000a15d9
              0x00000000
              0x000a15d9
              0x000a15c6
              0x000a15de

              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba64ea212adb7789b5eb3c74e2da22ab0e753570014c6edca927e3d7c60b6a21
              • Instruction ID: 46c0abcff8e54cf27606c570806e331d82ca7f3ed887ea63f3b19b251b979133
              • Opcode Fuzzy Hash: ba64ea212adb7789b5eb3c74e2da22ab0e753570014c6edca927e3d7c60b6a21
              • Instruction Fuzzy Hash: E2F02773F00A2097EB209AFA0D81BD65AD59FCB790F144170FA49EF3CAE6A18C0043A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000A5A88, Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E000A5A88(void* __eax) {
				char _v272;
				intOrPtr _t13;
				void* _t15;
				intOrPtr _t17;
				intOrPtr _t18;

				_t15 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_push(0x105);
					_push( &_v272);
					_t3 = _t15 + 4; // 0x70000
					_push( *_t3);
					L000A12B4();
					_t13 = E000A5CC4(_t18); // executed
					_t17 = _t13;
					 *((intOrPtr*)(_t15 + 0x10)) = _t17;
					if(_t17 == 0) {
						_t5 = _t15 + 4; // 0x70000
						 *((intOrPtr*)(_t15 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t15 + 0x10; // 0x70000
				return  *_t7;
			}








              0x000a5a90
              0x000a5a96
              0x000a5a98
              0x000a5aa1
              0x000a5aa2
              0x000a5aa5
              0x000a5aa6
              0x000a5aaf
              0x000a5ab4
              0x000a5ab6
              0x000a5abb
              0x000a5abd
              0x000a5ac0
              0x000a5ac0
              0x000a5abb
              0x000a5ac3
              0x000a5ace

              Memory Dump Source
              • Source File: 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000006.00000002.378932608.0000000000070000.00000002.00020000.sdmp Download File
              • Associated: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378948726.000000000008A000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.378954598.000000000008E000.00000080.00020000.sdmp Download File
              • Associated: 00000006.00000002.379138068.00000000001EB000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379146160.00000000001F7000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379195568.0000000000218000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379356413.0000000000332000.00000040.00020000.sdmp Download File
              • Associated: 00000006.00000002.379361025.0000000000335000.00000040.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88cc3a463696effd8e4d9ba0a510c8e7b78cae650f1ce96a5ec041622c2e4f28
              • Instruction ID: fd79b517d5f2c4eb6d96593d1a3f1bda0f5faa87980ead7665a36c0e20983b64
              • Opcode Fuzzy Hash: 88cc3a463696effd8e4d9ba0a510c8e7b78cae650f1ce96a5ec041622c2e4f28
              • Instruction Fuzzy Hash: EEE03971A007109BCB50DE9898C1A8233D8AB09751F044A51AC58CF34AD3B0DD208BE1
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions