Play interactive tour

Edit tour

Windows Analysis Report rPP7AHsBQt

Overview

General Information

Sample Name:	rPP7AHsBQt (renamed file extension from none to dll)
Analysis ID:	492692
MD5:	6966f6e2c68c1f536d63b50bb966c031
SHA1:	c10eace5e0b5c0531895ed1d02332e3e8bd0fd32
SHA256:	67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Queues an APC in another process (thread injection)

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Binary contains a suspicious time stamp

Potential key logger detected (key state polling based)

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 5548 cmdline: loaddll64.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)

cmd.exe (PID: 4312 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 5560 cmdline: rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2716 cmdline: rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RDVGHelper.exe (PID: 6456 cmdline: C:\Windows\system32\RDVGHelper.exe MD5: 0BF1E2262C95164A0B244174167FBD85)

RDVGHelper.exe (PID: 6464 cmdline: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe MD5: 0BF1E2262C95164A0B244174167FBD85)

wusa.exe (PID: 6884 cmdline: C:\Windows\system32\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)

wusa.exe (PID: 6940 cmdline: C:\Users\user\AppData\Local\v74M\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)

Dxpserver.exe (PID: 3476 cmdline: C:\Windows\system32\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)

Dxpserver.exe (PID: 4116 cmdline: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)

InfDefaultInstall.exe (PID: 6700 cmdline: C:\Windows\system32\InfDefaultInstall.exe MD5: 5FDB30927E9D4387D777443BF865EEFD)

InfDefaultInstall.exe (PID: 6708 cmdline: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe MD5: 5FDB30927E9D4387D777443BF865EEFD)

sethc.exe (PID: 7036 cmdline: C:\Windows\system32\sethc.exe MD5: 1C0BF0B710016600C9D9F23CC7103C0A)

sethc.exe (PID: 7068 cmdline: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe MD5: 1C0BF0B710016600C9D9F23CC7103C0A)

DevicePairingWizard.exe (PID: 6340 cmdline: C:\Windows\system32\DevicePairingWizard.exe MD5: E23643C785D498FF73B5C9D7EA173C3D)

DevicePairingWizard.exe (PID: 5596 cmdline: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe MD5: E23643C785D498FF73B5C9D7EA173C3D)

rundll32.exe (PID: 1748 cmdline: rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FreePreparsedData MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5480 cmdline: rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_GetAttributes MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.346721215.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001C.00000002.402645228.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000024.00000002.460431340.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001F.00000002.434908663.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000008.00000002.259769048.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000026.00000002.487070134.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000000A.00000002.266794445.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000017.00000002.375513310.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000029.00000002.533624086.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000005.00000002.252486367.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: rPP7AHsBQt.dll	Metadefender: Detection: 60%			Perma Link
Source: rPP7AHsBQt.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Show sources

Source: rPP7AHsBQt.dll

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\9Q3FqD\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\30KRxXoL\dwmapi.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\I3GPZ\wer.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\hxqisrGT\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\QpqMx\WINSTA.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\AzSj\newdev.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6598780 memset,LocalFree,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,memset,CreateDirectoryA,GetLastError,GetFileAttributesA,GetLastError,DecryptFileA,GetLastError,MultiByteToWideChar,GetLastError,CryptReleaseContext,LocalFree,	28_2_00007FF6D6598780
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDEFCC memset,CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,SetFilePointer,GetLastError,memset,WinVerifyTrustEx,WTHelperProvDataFromStateData,WTHelperGetProvSignerFromChain,CertVerifyCertificateChainPolicy,WinVerifyTrustEx,CloseHandle,	31_2_00007FF7D7EDEFCC
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDF224 CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,GetLastError,CloseHandle,GetLastError,CryptCATAdminAcquireContext,CryptCATAdminEnumCatalogFromHash,memset,CryptCATCatalogInfoFromContext,CryptCATAdminReleaseCatalogContext,CryptCATAdminReleaseContext,GetLastError,GetLastError,	31_2_00007FF7D7EDF224

Source: rPP7AHsBQt.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp, wusa.exe.7.dr
Source:	Binary string: RdpSaUacHelper.pdbGCTL source: RdpSaUacHelper.exe.7.dr
Source:	Binary string: wusa.pdb source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp, wusa.exe.7.dr
Source:	Binary string: wscript.pdbGCTL source: wscript.exe.7.dr
Source:	Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000024.00000002.462413235.00007FF6EE8A2000.00000002.00020000.sdmp, InfDefaultInstall.exe.7.dr
Source:	Binary string: sethc.pdbGCTL source: sethc.exe, 00000026.00000002.495085646.00007FF61C02C000.00000002.00020000.sdmp, sethc.exe.7.dr
Source:	Binary string: wbengine.pdbGCTL source: wbengine.exe.7.dr
Source:	Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000024.00000002.462413235.00007FF6EE8A2000.00000002.00020000.sdmp, InfDefaultInstall.exe.7.dr
Source:	Binary string: wbengine.pdb source: wbengine.exe.7.dr
Source:	Binary string: RDVGHelper.pdbGCTL source: RDVGHelper.exe, 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp, RDVGHelper.exe.7.dr
Source:	Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001F.00000000.413263469.00007FF7D7EE1000.00000002.00020000.sdmp, Dxpserver.exe.7.dr
Source:	Binary string: wscript.pdb source: wscript.exe.7.dr
Source:	Binary string: sethc.pdb source: sethc.exe, 00000026.00000002.495085646.00007FF61C02C000.00000002.00020000.sdmp, sethc.exe.7.dr
Source:	Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000029.00000000.508573179.00007FF6159D7000.00000002.00020000.sdmp, DevicePairingWizard.exe.7.dr
Source:	Binary string: RdpSaUacHelper.pdb source: RdpSaUacHelper.exe.7.dr
Source:	Binary string: RDVGHelper.pdb source: RDVGHelper.exe, 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp, RDVGHelper.exe.7.dr
Source:	Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001F.00000000.413263469.00007FF7D7EE1000.00000002.00020000.sdmp, Dxpserver.exe.7.dr
Source:	Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000029.00000000.508573179.00007FF6159D7000.00000002.00020000.sdmp, DevicePairingWizard.exe.7.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D290 FindFirstFileExW,	1_2_000000014005D290
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6591BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	28_2_00007FF6D6591BC0
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6598D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	28_2_00007FF6D6598D04
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,	31_2_00007FF7D7EB1914

Source: explorer.exe, 00000007.00000000.302989833.0000000008CBE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.coG
Source: explorer.exe, 00000007.00000000.298400230.0000000006840000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe

Code function: 38_2_00007FF61C026DE0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,memset,SendInput,

38_2_00007FF61C026DE0

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000004.00000002.346721215.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.402645228.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.460431340.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434908663.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.259769048.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.487070134.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.266794445.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.375513310.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.533624086.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.252486367.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034870	1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035270	1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140048AC0	1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C340	1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140065B80	1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0	1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400524B0	1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026CC0	1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004BD40	1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400495B0	1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036F30	1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069010	1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001010	1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140066020	1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F840	1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D850	1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064080	1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140010880	1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400688A0	1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D0D0	1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400018D0	1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016100	1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D100	1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A110	1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D910	1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015120	1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000B120	1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F940	1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140039140	1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023140	1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057950	1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E170	1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002980	1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400611A0	1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400389A0	1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400381A0	1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E1B0	1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400139D0	1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400319F0	1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EA00	1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022A00	1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B220	1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067A40	1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069A50	1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007A60	1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003AAC0	1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A2E0	1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140062B00	1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018300	1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FB20	1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031340	1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022340	1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017B40	1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BB40	1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004EB60	1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005370	1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CB80	1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B390	1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140054BA0	1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033BB0	1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400263C0	1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400123C0	1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063BD0	1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400663F0	1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023BF0	1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B41B	1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B424	1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B42D	1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B436	1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B43D	1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024440	1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005C40	1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B446	1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005F490	1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022D00	1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035520	1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019D20	1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030530	1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023530	1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031540	1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033540	1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014007BD50	1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140078570	1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019580	1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400205A0	1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025DB0	1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140071DC0	1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000C5C0	1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002DDE0	1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031DF0	1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000DDF0	1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001620	1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018630	1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032650	1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064E80	1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016E80	1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007EA0	1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400286B0	1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006EB0	1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400276C0	1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FEC0	1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EED0	1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B6E0	1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053F20	1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022730	1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029780	1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018F80	1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003EFB0	1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400067B0	1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400667D0	1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060FE0	1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF7877793E0	23_2_00007FF7877793E0
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787771608	23_2_00007FF787771608
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787774530	23_2_00007FF787774530
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787772378	23_2_00007FF787772378
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6598780	28_2_00007FF6D6598780
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6599910	28_2_00007FF6D6599910
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D659356C	28_2_00007FF6D659356C
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65923F0	28_2_00007FF6D65923F0
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D659A0FC	28_2_00007FF6D659A0FC
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6593D88	28_2_00007FF6D6593D88
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6595EA4	28_2_00007FF6D6595EA4
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6591BC0	28_2_00007FF6D6591BC0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB1914	31_2_00007FF7D7EB1914
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED2900	31_2_00007FF7D7ED2900
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC8CC0	31_2_00007FF7D7EC8CC0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB5CB8	31_2_00007FF7D7EB5CB8
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EBAC8C	31_2_00007FF7D7EBAC8C
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDBC70	31_2_00007FF7D7EDBC70
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ECA064	31_2_00007FF7D7ECA064
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ECF460	31_2_00007FF7D7ECF460
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC3C38	31_2_00007FF7D7EC3C38
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED1000	31_2_00007FF7D7ED1000
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB7404	31_2_00007FF7D7EB7404
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED8BE0	31_2_00007FF7D7ED8BE0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDEFCC	31_2_00007FF7D7EDEFCC
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED0790	31_2_00007FF7D7ED0790
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED6740	31_2_00007FF7D7ED6740
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB5330	31_2_00007FF7D7EB5330
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC1B14	31_2_00007FF7D7EC1B14
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDD6F0	31_2_00007FF7D7EDD6F0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EBB2C0	31_2_00007FF7D7EBB2C0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED3E80	31_2_00007FF7D7ED3E80
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED4A44	31_2_00007FF7D7ED4A44
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB4A44	31_2_00007FF7D7EB4A44
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDF224	31_2_00007FF7D7EDF224
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ECCE20	31_2_00007FF7D7ECCE20
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB661C	31_2_00007FF7D7EB661C
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDC5F0	31_2_00007FF7D7EDC5F0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED5DC0	31_2_00007FF7D7ED5DC0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC7170	31_2_00007FF7D7EC7170
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB2950	31_2_00007FF7D7EB2950
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC3554	31_2_00007FF7D7EC3554
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Code function: 36_2_00007FF6EE8A1078	36_2_00007FF6EE8A1078
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C023E00	38_2_00007FF61C023E00
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C025504	38_2_00007FF61C025504
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C021524	38_2_00007FF61C021524
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Code function: 41_2_00007FF6159D31D0	41_2_00007FF6159D31D0

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: String function: 00007FF6D6599520 appears 162 times

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D6593A2C memset,GetSystemDirectoryW,wcsrchr,memset,CreateProcessAsUserW,GetLastError,WaitForSingleObject,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,CloseHandle,CloseHandle,LocalFree,

28_2_00007FF6D6593A2C

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046C90 NtClose,	1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0 NtQuerySystemInformation,	1_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C02A38C NtQueryWnfStateData,	38_2_00007FF61C02A38C

Source: RdpSaUacHelper.exe.7.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: rPP7AHsBQt.dll

Binary or memory string: OriginalFilenamekbdyj% vs rPP7AHsBQt.dll

Source: wusa.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevicePairingWizard.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: rPP7AHsBQt.dll	Static PE information: Number of sections : 34 > 10
Source: WTSAPI32.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: wer.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: WINSTA.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: VERSION.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: newdev.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: WTSAPI32.dll0.7.dr	Static PE information: Number of sections : 35 > 10
Source: dwmapi.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: OLEACC.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: MFC42u.dll.7.dr	Static PE information: Number of sections : 35 > 10

Source: rPP7AHsBQt.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll0.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: newdev.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wer.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: rPP7AHsBQt.dll	Metadefender: Detection: 60%
Source: rPP7AHsBQt.dll	ReversingLabs: Detection: 75%

Source: rPP7AHsBQt.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FreePreparsedData
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_GetAttributes
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RDVGHelper.exe C:\Windows\system32\RDVGHelper.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\v74M\wusa.exe C:\Users\user\AppData\Local\v74M\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sethc.exe C:\Windows\system32\sethc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe C:\Users\user\AppData\Local\hxqisrGT\sethc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FreePreparsedData	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_GetAttributes	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RDVGHelper.exe C:\Windows\system32\RDVGHelper.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\v74M\wusa.exe C:\Users\user\AppData\Local\v74M\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sethc.exe C:\Windows\system32\sethc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D6595438 LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,LocalFree,

28_2_00007FF6D6595438

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Jump to behavior

Source: Dxpserver.exe.7.dr	Binary string: FNULL%s\....Device%s\%s%s%s\%s%s\Device\%s%s\Device
Source: wbengine.exe.7.dr	Binary string: 3Z((HANDLE)(LONG_PTR)-1) != hFilebase\stor\blb\dsm\dsmutils\dll\fsutilswrapper.cppExtractVolumePath(ssPath, ssVolumePath)SplitDirPath( ssDirPath, ssParentDir, ssDirName )GetParentPaths(ssPath, arrstrPaths)ssDirPath.Length() != 0base\stor\blb\dsm\dsmutils\dll\fsutils.cpppstrPath != 0pstrName != 0CLOCK$COMLPTCONPRNAUXNUL\\?\GLOBALROOT\Device\base\stor\blb\dsm\dsmutils\dll\fsutils.cppInvalid path:%lsssPath.Length() > 0GetVolumePrefixLength failed for %lsFailed to parse path:%lsExtractVolumePath(ssWorkingPath, ssVolumePath)ssWorkingPath[ssWorkingPath.Length() - 1] == L'\\'(((HRESULT)(hrReason)) < 0)pstrPath && pstrPath[0]pfIsReparsedppstrReparsePtPath && (ppstrReparsePtPath == 0)GetFileAttributes() failed on:%lsIsPathMountPoint(ssPath.PeekStr(), &fMountPoint)pszVolumePath != 0phVolume != 0ssVolumePath[ssVolumePath.Length() - 1] == L'\\'Failed to open volume:%ls((HANDLE)(LONG_PTR)-1) == hVolumeppstrPath && ppstrPath == 0dwPathLength > 0 && pstrFilePath[dwPathLength-1] == L'\\'0 != pdwFileAttributesGetFileInformationByHandle(hFile, &fileInfo)0 != lpstrFilePathCreateFile unsuccessful for %wsFSWrapperGetFileAttributes(hFile, pdwFileAttributes)0 != pFileAttributesGetFileInformationByHandleEx(hFile, FileBasicInfo, &fileInfo, sizeof(FILE_BASIC_INFO))GetFileSize failed for %ws((DWORD)-1) != dwFileAttributesGetFileInformationByHandleEx failedSetFileInformationByHandle failedFSWrapperSetFileAttributes(hFile, dwFileAttributes)SplitDirPath(strPath, strParent, strChild)Path %S is invalid as it contains a '.' or '..', hr=0x%08xHRESULT_FROM_WIN32(GetLastError())wszPath && wszPath[0]pfIsPathMountPoint
Source: wbengine.exe.7.dr	Binary string: abase\stor\blb\engine\blbengutils\blbvolumeutils.cpppbFloppypguidVolumeId != NULLpbIsCritical != NULLpguidVolumeIdwszMountedDeviceNamewszVolumeGuidpwszReparsePointName\\?\GLOBALROOT\DEVICE\HARDDISKVOLUME%dWsbMountedVolumeFile%lu_%spVolumeCatrgVolumeLocalwszVolumeGuidPathpwszVolumeGlobalRootPathVolume%ws\\?\GLOBALROOT%wspdwlJournalIdplastUsnwszVolumeName && *wszVolumeNamepbPerformResizepdwlUsnSizevssSnapshotId != GUID_NULLdwlJournalId != BLB_INVALID_USN_JOURNAL_IDusnBeforeSnapShot != BLB_INVALID_USN_IDwszBackupSetDirectorypwszVhdPathwszVolumeName != NULLpbIsVolumeOnSharedDisk != NULLpbIsCSVpdwVolumeNumber?UV9
Source: wbengine.exe.7.dr	Binary string: base\stor\blb\catalog\compare.cpprowid1 != rowid2pKey->m_type == pCol->m_typepRow1 > pRow2_hImpersonationToken != INVALID_HANDLE_VALUEbase\stor\blb\blbimg\blbimg.cxxReadHandle != INVALID_HANDLE_VALUEWriteHandle != INVALID_HANDLE_VALUEpdwFlagsFveGetStatusWwszDeviceName%ws\%wsuCurrentBit < HintSpaceBitmapSizeExtentLength > 0pCurrentListEntry->Length > 0pbRecomputeNeededpBadClusExtentsBeforeRecovery\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{\System Volume Information\*{3808876B-C176-4e48-B7AE-04046E6CC752}\System Volume Information\{{3808876B-C176-4e48-B7AE-04046E6CC752}ReplicationContext->FirstBlock != NULLIoState[CurrentBuffer] == BLBIMGI_IO_STATE_WRITINGBackupFileName != NULLReplicationHandleReplicationContext != NULLoffset[i] < volumeSizet.QuadPart < restoreContext->VolumeSizereadBuffer != NULL\pagefile.sys\hiberfil.sys!IsListEmpty(&diffsInSource){IQ
Source: wbengine.exe.7.dr	Binary string: e\\?\Globalroot\Device\Harddisk%lu\Partition1\\?\Globalroot\Device\Harddisk%lu\Partition2\\?\Globalroot\Device\HarddiskVolume%luChild_{47b7fa87-ce42-48ff-8b18-2f1088121503}WindowsBackupLinksbase\stor\blb\engine\blbengutils\blbvhdhelper.cppwszVhdFile && wszVhdFilepwszVolumeDevicePathwszDiskPath && wszDiskPathpwszVolumePathwszMountedDeviceName && wszMountedDeviceNamepCBlbVhdwszMountedVolumePathNoSlash && wszMountedVolumePathNoSlashpVhdContextpVhdContextForRemovalwszVolumeDevicePath && wszVolumeDevicePathppVhdContextpVhdContext->m_pCBlbVhdsdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_1 \|\| sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_2ppDependencyInfopbIsVolVirtualppStorageDepInfowszTargetVolName && wszTargetVolNamewszVirtualSrcVolName && wszVirtualSrcVolNamepbIsVirtualSrcVolDependantpVolumeVHDInfo != NULLpstDepInfo != NULLpstDepInfoType2MaxAncestor != NULLpwszDiffVhdFilePath && pwszVhdTempPath%ws_%ws_%wspProgressReportCallbackContextwszVHDVolumeDevicePathpbCompactionRequiredwszVhdFilepGuidSnapshotIdwszVHDVolumeDevicePath && wszVHDVolumeDevicePathpdwVHDDeviceDiskNumberpVhdHandle

Source: classification engine

Classification label: mal96.troj.evad.winDLL@41/19@0/1

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D65923F0 CoInitializeEx,CoCreateInstance,CoCreateInstance,SysAllocString,SysAllocString,VariantInit,RegCreateKeyExW,RegSetValueExW,ShowWindow,GetCommandLineW,EventWrite,SysFreeString,SysFreeString,SysFreeString,SysFreeString,RegCloseKey,CoUninitialize,LocalFree,

28_2_00007FF6D65923F0

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D6594EA8 FormatMessageW,GetLastError,wcsrchr,LocalFree,

28_2_00007FF6D6594EA8

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue

Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Mutant created: \Sessions\1\BaseNamedObjects\{64861cbe-e0eb-8b07-73e1-c85e5ae3b186}
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Mutant created: \Sessions\1\BaseNamedObjects\{643c605e-c57f-c264-fd43-c1594ee41ce2}

Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe

Code function: 31_2_00007FF7D7EB5CB8 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,memset,GetModuleFileNameW,

31_2_00007FF7D7EB5CB8

Source: wusa.exe	String found in binary or memory: Failed to display update-installed message box
Source: wusa.exe	String found in binary or memory: Failed to display update-not-installed message box

Source: rPP7AHsBQt.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: rPP7AHsBQt.dll

Static file information: File size 1777664 > 1048576

Source: rPP7AHsBQt.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp, wusa.exe.7.dr
Source:	Binary string: RdpSaUacHelper.pdbGCTL source: RdpSaUacHelper.exe.7.dr
Source:	Binary string: wusa.pdb source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp, wusa.exe.7.dr
Source:	Binary string: wscript.pdbGCTL source: wscript.exe.7.dr
Source:	Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000024.00000002.462413235.00007FF6EE8A2000.00000002.00020000.sdmp, InfDefaultInstall.exe.7.dr
Source:	Binary string: sethc.pdbGCTL source: sethc.exe, 00000026.00000002.495085646.00007FF61C02C000.00000002.00020000.sdmp, sethc.exe.7.dr
Source:	Binary string: wbengine.pdbGCTL source: wbengine.exe.7.dr
Source:	Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000024.00000002.462413235.00007FF6EE8A2000.00000002.00020000.sdmp, InfDefaultInstall.exe.7.dr
Source:	Binary string: wbengine.pdb source: wbengine.exe.7.dr
Source:	Binary string: RDVGHelper.pdbGCTL source: RDVGHelper.exe, 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp, RDVGHelper.exe.7.dr
Source:	Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001F.00000000.413263469.00007FF7D7EE1000.00000002.00020000.sdmp, Dxpserver.exe.7.dr
Source:	Binary string: wscript.pdb source: wscript.exe.7.dr
Source:	Binary string: sethc.pdb source: sethc.exe, 00000026.00000002.495085646.00007FF61C02C000.00000002.00020000.sdmp, sethc.exe.7.dr
Source:	Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000029.00000000.508573179.00007FF6159D7000.00000002.00020000.sdmp, DevicePairingWizard.exe.7.dr
Source:	Binary string: RdpSaUacHelper.pdb source: RdpSaUacHelper.exe.7.dr
Source:	Binary string: RDVGHelper.pdb source: RDVGHelper.exe, 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp, RDVGHelper.exe.7.dr
Source:	Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001F.00000000.413263469.00007FF7D7EE1000.00000002.00020000.sdmp, Dxpserver.exe.7.dr
Source:	Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000029.00000000.508573179.00007FF6159D7000.00000002.00020000.sdmp, DevicePairingWizard.exe.7.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140056A4D push rdi; ret	1_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF78777B652 push rcx; ret	23_2_00007FF78777B653
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65A15F8 push rbx; retf	28_2_00007FF6D65A15F9
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65A1964 push rbx; iretd	28_2_00007FF6D65A1965

Source: rPP7AHsBQt.dll	Static PE information: section name: .qkm
Source: rPP7AHsBQt.dll	Static PE information: section name: .cvjb
Source: rPP7AHsBQt.dll	Static PE information: section name: .tlmkv
Source: rPP7AHsBQt.dll	Static PE information: section name: .wucsxe
Source: rPP7AHsBQt.dll	Static PE information: section name: .fltwtj
Source: rPP7AHsBQt.dll	Static PE information: section name: .tblq
Source: rPP7AHsBQt.dll	Static PE information: section name: .hcmjm
Source: rPP7AHsBQt.dll	Static PE information: section name: .nagyk
Source: rPP7AHsBQt.dll	Static PE information: section name: .jrucz
Source: rPP7AHsBQt.dll	Static PE information: section name: .rnr
Source: rPP7AHsBQt.dll	Static PE information: section name: .ths
Source: rPP7AHsBQt.dll	Static PE information: section name: .vyfudm
Source: rPP7AHsBQt.dll	Static PE information: section name: .bejn
Source: rPP7AHsBQt.dll	Static PE information: section name: .lxdw
Source: rPP7AHsBQt.dll	Static PE information: section name: .uffn
Source: rPP7AHsBQt.dll	Static PE information: section name: .cbmla
Source: rPP7AHsBQt.dll	Static PE information: section name: .fcy
Source: rPP7AHsBQt.dll	Static PE information: section name: .aady
Source: rPP7AHsBQt.dll	Static PE information: section name: .pqe
Source: rPP7AHsBQt.dll	Static PE information: section name: .zfem
Source: rPP7AHsBQt.dll	Static PE information: section name: .ila
Source: rPP7AHsBQt.dll	Static PE information: section name: .ygqg
Source: rPP7AHsBQt.dll	Static PE information: section name: .onr
Source: rPP7AHsBQt.dll	Static PE information: section name: .brn
Source: rPP7AHsBQt.dll	Static PE information: section name: .zch
Source: rPP7AHsBQt.dll	Static PE information: section name: .yithue
Source: rPP7AHsBQt.dll	Static PE information: section name: .jxyn
Source: rPP7AHsBQt.dll	Static PE information: section name: .bvk
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .tblq
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .hcmjm
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .nagyk
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .jrucz
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .rnr
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .ths
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .vyfudm
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .bejn
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .lxdw
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .uffn
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .cbmla
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .fcy
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .aady
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .pqe
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .zfem
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .ila
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .ygqg
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .onr
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .brn
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .zch
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .yithue
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .jxyn
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .bvk
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .pcgp
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .tblq
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .hcmjm
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .nagyk
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .jrucz
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .rnr
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .ths
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .vyfudm
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .bejn
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .lxdw
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .uffn
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .cbmla
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .fcy
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .aady
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .pqe
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .zfem
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .ila
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .ygqg
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .onr
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .brn
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .zch
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .yithue
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .jxyn
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .bvk
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .bsdm
Source: dwmapi.dll.7.dr	Static PE information: section name: .qkm
Source: dwmapi.dll.7.dr	Static PE information: section name: .cvjb
Source: dwmapi.dll.7.dr	Static PE information: section name: .tlmkv
Source: dwmapi.dll.7.dr	Static PE information: section name: .wucsxe
Source: dwmapi.dll.7.dr	Static PE information: section name: .fltwtj
Source: dwmapi.dll.7.dr	Static PE information: section name: .tblq
Source: dwmapi.dll.7.dr	Static PE information: section name: .hcmjm
Source: dwmapi.dll.7.dr	Static PE information: section name: .nagyk
Source: dwmapi.dll.7.dr	Static PE information: section name: .jrucz
Source: dwmapi.dll.7.dr	Static PE information: section name: .rnr
Source: dwmapi.dll.7.dr	Static PE information: section name: .ths
Source: dwmapi.dll.7.dr	Static PE information: section name: .vyfudm
Source: dwmapi.dll.7.dr	Static PE information: section name: .bejn
Source: dwmapi.dll.7.dr	Static PE information: section name: .lxdw
Source: dwmapi.dll.7.dr	Static PE information: section name: .uffn
Source: dwmapi.dll.7.dr	Static PE information: section name: .cbmla
Source: dwmapi.dll.7.dr	Static PE information: section name: .fcy
Source: dwmapi.dll.7.dr	Static PE information: section name: .aady
Source: dwmapi.dll.7.dr	Static PE information: section name: .pqe
Source: dwmapi.dll.7.dr	Static PE information: section name: .zfem
Source: dwmapi.dll.7.dr	Static PE information: section name: .ila
Source: dwmapi.dll.7.dr	Static PE information: section name: .ygqg
Source: dwmapi.dll.7.dr	Static PE information: section name: .onr
Source: dwmapi.dll.7.dr	Static PE information: section name: .brn
Source: dwmapi.dll.7.dr	Static PE information: section name: .zch
Source: dwmapi.dll.7.dr	Static PE information: section name: .yithue
Source: dwmapi.dll.7.dr	Static PE information: section name: .jxyn
Source: dwmapi.dll.7.dr	Static PE information: section name: .bvk
Source: dwmapi.dll.7.dr	Static PE information: section name: .cyr
Source: newdev.dll.7.dr	Static PE information: section name: .qkm
Source: newdev.dll.7.dr	Static PE information: section name: .cvjb
Source: newdev.dll.7.dr	Static PE information: section name: .tlmkv
Source: newdev.dll.7.dr	Static PE information: section name: .wucsxe
Source: newdev.dll.7.dr	Static PE information: section name: .fltwtj
Source: newdev.dll.7.dr	Static PE information: section name: .tblq
Source: newdev.dll.7.dr	Static PE information: section name: .hcmjm
Source: newdev.dll.7.dr	Static PE information: section name: .nagyk
Source: newdev.dll.7.dr	Static PE information: section name: .jrucz
Source: newdev.dll.7.dr	Static PE information: section name: .rnr
Source: newdev.dll.7.dr	Static PE information: section name: .ths
Source: newdev.dll.7.dr	Static PE information: section name: .vyfudm
Source: newdev.dll.7.dr	Static PE information: section name: .bejn
Source: newdev.dll.7.dr	Static PE information: section name: .lxdw
Source: newdev.dll.7.dr	Static PE information: section name: .uffn
Source: newdev.dll.7.dr	Static PE information: section name: .cbmla
Source: newdev.dll.7.dr	Static PE information: section name: .fcy
Source: newdev.dll.7.dr	Static PE information: section name: .aady
Source: newdev.dll.7.dr	Static PE information: section name: .pqe
Source: newdev.dll.7.dr	Static PE information: section name: .zfem
Source: newdev.dll.7.dr	Static PE information: section name: .ila
Source: newdev.dll.7.dr	Static PE information: section name: .ygqg
Source: newdev.dll.7.dr	Static PE information: section name: .onr
Source: newdev.dll.7.dr	Static PE information: section name: .brn
Source: newdev.dll.7.dr	Static PE information: section name: .zch
Source: newdev.dll.7.dr	Static PE information: section name: .yithue
Source: newdev.dll.7.dr	Static PE information: section name: .jxyn
Source: newdev.dll.7.dr	Static PE information: section name: .bvk
Source: newdev.dll.7.dr	Static PE information: section name: .hpnyp
Source: OLEACC.dll.7.dr	Static PE information: section name: .qkm
Source: OLEACC.dll.7.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll.7.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll.7.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll.7.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll.7.dr	Static PE information: section name: .tblq
Source: OLEACC.dll.7.dr	Static PE information: section name: .hcmjm
Source: OLEACC.dll.7.dr	Static PE information: section name: .nagyk
Source: OLEACC.dll.7.dr	Static PE information: section name: .jrucz
Source: OLEACC.dll.7.dr	Static PE information: section name: .rnr
Source: OLEACC.dll.7.dr	Static PE information: section name: .ths
Source: OLEACC.dll.7.dr	Static PE information: section name: .vyfudm
Source: OLEACC.dll.7.dr	Static PE information: section name: .bejn
Source: OLEACC.dll.7.dr	Static PE information: section name: .lxdw
Source: OLEACC.dll.7.dr	Static PE information: section name: .uffn
Source: OLEACC.dll.7.dr	Static PE information: section name: .cbmla
Source: OLEACC.dll.7.dr	Static PE information: section name: .fcy
Source: OLEACC.dll.7.dr	Static PE information: section name: .aady
Source: OLEACC.dll.7.dr	Static PE information: section name: .pqe
Source: OLEACC.dll.7.dr	Static PE information: section name: .zfem
Source: OLEACC.dll.7.dr	Static PE information: section name: .ila
Source: OLEACC.dll.7.dr	Static PE information: section name: .ygqg
Source: OLEACC.dll.7.dr	Static PE information: section name: .onr
Source: OLEACC.dll.7.dr	Static PE information: section name: .brn
Source: OLEACC.dll.7.dr	Static PE information: section name: .zch
Source: OLEACC.dll.7.dr	Static PE information: section name: .yithue
Source: OLEACC.dll.7.dr	Static PE information: section name: .jxyn
Source: OLEACC.dll.7.dr	Static PE information: section name: .bvk
Source: OLEACC.dll.7.dr	Static PE information: section name: .oif
Source: MFC42u.dll.7.dr	Static PE information: section name: .qkm
Source: MFC42u.dll.7.dr	Static PE information: section name: .cvjb
Source: MFC42u.dll.7.dr	Static PE information: section name: .tlmkv
Source: MFC42u.dll.7.dr	Static PE information: section name: .wucsxe
Source: MFC42u.dll.7.dr	Static PE information: section name: .fltwtj
Source: MFC42u.dll.7.dr	Static PE information: section name: .tblq
Source: MFC42u.dll.7.dr	Static PE information: section name: .hcmjm
Source: MFC42u.dll.7.dr	Static PE information: section name: .nagyk
Source: MFC42u.dll.7.dr	Static PE information: section name: .jrucz
Source: MFC42u.dll.7.dr	Static PE information: section name: .rnr
Source: MFC42u.dll.7.dr	Static PE information: section name: .ths
Source: MFC42u.dll.7.dr	Static PE information: section name: .vyfudm
Source: MFC42u.dll.7.dr	Static PE information: section name: .bejn
Source: MFC42u.dll.7.dr	Static PE information: section name: .lxdw
Source: MFC42u.dll.7.dr	Static PE information: section name: .uffn
Source: MFC42u.dll.7.dr	Static PE information: section name: .cbmla
Source: MFC42u.dll.7.dr	Static PE information: section name: .fcy
Source: MFC42u.dll.7.dr	Static PE information: section name: .aady
Source: MFC42u.dll.7.dr	Static PE information: section name: .pqe
Source: MFC42u.dll.7.dr	Static PE information: section name: .zfem
Source: MFC42u.dll.7.dr	Static PE information: section name: .ila
Source: MFC42u.dll.7.dr	Static PE information: section name: .ygqg
Source: MFC42u.dll.7.dr	Static PE information: section name: .onr
Source: MFC42u.dll.7.dr	Static PE information: section name: .brn
Source: MFC42u.dll.7.dr	Static PE information: section name: .zch
Source: MFC42u.dll.7.dr	Static PE information: section name: .yithue
Source: MFC42u.dll.7.dr	Static PE information: section name: .jxyn
Source: MFC42u.dll.7.dr	Static PE information: section name: .bvk
Source: MFC42u.dll.7.dr	Static PE information: section name: .yjod
Source: VERSION.dll.7.dr	Static PE information: section name: .qkm
Source: VERSION.dll.7.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.7.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.7.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.7.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.7.dr	Static PE information: section name: .tblq
Source: VERSION.dll.7.dr	Static PE information: section name: .hcmjm
Source: VERSION.dll.7.dr	Static PE information: section name: .nagyk
Source: VERSION.dll.7.dr	Static PE information: section name: .jrucz
Source: VERSION.dll.7.dr	Static PE information: section name: .rnr
Source: VERSION.dll.7.dr	Static PE information: section name: .ths
Source: VERSION.dll.7.dr	Static PE information: section name: .vyfudm
Source: VERSION.dll.7.dr	Static PE information: section name: .bejn
Source: VERSION.dll.7.dr	Static PE information: section name: .lxdw
Source: VERSION.dll.7.dr	Static PE information: section name: .uffn
Source: VERSION.dll.7.dr	Static PE information: section name: .cbmla
Source: VERSION.dll.7.dr	Static PE information: section name: .fcy
Source: VERSION.dll.7.dr	Static PE information: section name: .aady
Source: VERSION.dll.7.dr	Static PE information: section name: .pqe
Source: VERSION.dll.7.dr	Static PE information: section name: .zfem
Source: VERSION.dll.7.dr	Static PE information: section name: .ila
Source: VERSION.dll.7.dr	Static PE information: section name: .ygqg
Source: VERSION.dll.7.dr	Static PE information: section name: .onr
Source: VERSION.dll.7.dr	Static PE information: section name: .brn
Source: VERSION.dll.7.dr	Static PE information: section name: .zch
Source: VERSION.dll.7.dr	Static PE information: section name: .yithue
Source: VERSION.dll.7.dr	Static PE information: section name: .jxyn
Source: VERSION.dll.7.dr	Static PE information: section name: .bvk
Source: VERSION.dll.7.dr	Static PE information: section name: .mzo
Source: WINSTA.dll.7.dr	Static PE information: section name: .qkm
Source: WINSTA.dll.7.dr	Static PE information: section name: .cvjb
Source: WINSTA.dll.7.dr	Static PE information: section name: .tlmkv
Source: WINSTA.dll.7.dr	Static PE information: section name: .wucsxe
Source: WINSTA.dll.7.dr	Static PE information: section name: .fltwtj
Source: WINSTA.dll.7.dr	Static PE information: section name: .tblq
Source: WINSTA.dll.7.dr	Static PE information: section name: .hcmjm
Source: WINSTA.dll.7.dr	Static PE information: section name: .nagyk
Source: WINSTA.dll.7.dr	Static PE information: section name: .jrucz
Source: WINSTA.dll.7.dr	Static PE information: section name: .rnr
Source: WINSTA.dll.7.dr	Static PE information: section name: .ths
Source: WINSTA.dll.7.dr	Static PE information: section name: .vyfudm
Source: WINSTA.dll.7.dr	Static PE information: section name: .bejn
Source: WINSTA.dll.7.dr	Static PE information: section name: .lxdw
Source: WINSTA.dll.7.dr	Static PE information: section name: .uffn
Source: WINSTA.dll.7.dr	Static PE information: section name: .cbmla
Source: WINSTA.dll.7.dr	Static PE information: section name: .fcy
Source: WINSTA.dll.7.dr	Static PE information: section name: .aady
Source: WINSTA.dll.7.dr	Static PE information: section name: .pqe
Source: WINSTA.dll.7.dr	Static PE information: section name: .zfem
Source: WINSTA.dll.7.dr	Static PE information: section name: .ila
Source: WINSTA.dll.7.dr	Static PE information: section name: .ygqg
Source: WINSTA.dll.7.dr	Static PE information: section name: .onr
Source: WINSTA.dll.7.dr	Static PE information: section name: .brn
Source: WINSTA.dll.7.dr	Static PE information: section name: .zch
Source: WINSTA.dll.7.dr	Static PE information: section name: .yithue
Source: WINSTA.dll.7.dr	Static PE information: section name: .jxyn
Source: WINSTA.dll.7.dr	Static PE information: section name: .bvk
Source: WINSTA.dll.7.dr	Static PE information: section name: .sxl
Source: wer.dll.7.dr	Static PE information: section name: .qkm
Source: wer.dll.7.dr	Static PE information: section name: .cvjb
Source: wer.dll.7.dr	Static PE information: section name: .tlmkv
Source: wer.dll.7.dr	Static PE information: section name: .wucsxe
Source: wer.dll.7.dr	Static PE information: section name: .fltwtj
Source: wer.dll.7.dr	Static PE information: section name: .tblq
Source: wer.dll.7.dr	Static PE information: section name: .hcmjm
Source: wer.dll.7.dr	Static PE information: section name: .nagyk
Source: wer.dll.7.dr	Static PE information: section name: .jrucz
Source: wer.dll.7.dr	Static PE information: section name: .rnr
Source: wer.dll.7.dr	Static PE information: section name: .ths
Source: wer.dll.7.dr	Static PE information: section name: .vyfudm
Source: wer.dll.7.dr	Static PE information: section name: .bejn
Source: wer.dll.7.dr	Static PE information: section name: .lxdw
Source: wer.dll.7.dr	Static PE information: section name: .uffn
Source: wer.dll.7.dr	Static PE information: section name: .cbmla
Source: wer.dll.7.dr	Static PE information: section name: .fcy
Source: wer.dll.7.dr	Static PE information: section name: .aady
Source: wer.dll.7.dr	Static PE information: section name: .pqe
Source: wer.dll.7.dr	Static PE information: section name: .zfem
Source: wer.dll.7.dr	Static PE information: section name: .ila
Source: wer.dll.7.dr	Static PE information: section name: .ygqg
Source: wer.dll.7.dr	Static PE information: section name: .onr
Source: wer.dll.7.dr	Static PE information: section name: .brn
Source: wer.dll.7.dr	Static PE information: section name: .zch
Source: wer.dll.7.dr	Static PE information: section name: .yithue
Source: wer.dll.7.dr	Static PE information: section name: .jxyn
Source: wer.dll.7.dr	Static PE information: section name: .bvk
Source: wer.dll.7.dr	Static PE information: section name: .ilb

Source: rPP7AHsBQt.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x1c01f5
Source: WTSAPI32.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1bd189
Source: wer.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1b7763
Source: WINSTA.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c376e
Source: VERSION.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1bd771
Source: newdev.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1bd7de
Source: WTSAPI32.dll0.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c06b1
Source: dwmapi.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1b3793
Source: OLEACC.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1be450
Source: MFC42u.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c22ec

Source: RDVGHelper.exe.7.dr

Static PE information: 0x6FC4BD96 [Sun Jun 3 07:02:46 2029 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Show sources

Source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp

Memory string: DWS;zWusaHiddenFailed to allocate and initialize Administrators group SID.WusaIsUserAdminFailed to check token membership.Failed to get message text for id %uWusaLoadMessageWusaMessageBoxFailed: TaskDialog()Failed to get message for error 0x%xWusaGetErrorMessageWusaCreateLockFileFailed to allocate memory for lock file path.Failed to create lock file %SFailed: GetFullPathName() failed for %SWusaGetFullPathNameFailed to allocate memory for full path.Failed to create extract job for location: %SWusaExtractAllFilesFromCabinetFailed to add container for cabinet: %SFailed: ExtractAllFiles()Failed to extract files from cabinet %SFailed: LookupPrivilegeValue()EnablePrivilegeFailed: OpenProcessToken()Failed: AdjustTokenPrivileges()Failed: AdjustTokenPrivileges(); not all token privileges were assignedFailed: GetTokenInformation()WusaGetUserSIDFailed: CopySid()Failed to PostMessage to progress window, error code %uWusaPostMessagewusa.lockFailed to create eventAppModule::InitFailed to initialize COM securityFailed to initialize critical sectionFailed to show welcome dialogFailed to show non administrator dialogUser is not a member of the Administrators group.Failed to show multiple instance dialogError: Another instance of wusa.exe is running.Failed to create sandboxCreated sandbox %lsFailed: AppModule::SetScanCabPath()Failed to get application title text, id %uFailed to allocate BSTR for application titleFailure returned by InitCommonControlsEx()Failure returned by CreateFont()Failed to get STR_EXPAND_START textFailed to get STR_EXPAND_START_UNINSTALL textFailed to get STR_SEARCH_START textFailed to get STR_COPY_START textFailed to get STR_UNINSTALL_START textFailed to set done event to release shutdown blockAppModule::UninitDeleting sandbox %SAppModule::DeleteSandBoxFailed to delete sandboxCommandLineToArgvW() failed.AppModule::ParseCommandLineError: Too few arguments.Failed to get command line length.Failed to allocate memory for ignored arguments.Failed. Restart mode was supplied multiple times30Failed to parse switchFailed. /warnrestart has invalid formatFailed. /kb was supplied multiple timesFailed. /kb has invalid formatKBFailed to prefix KB numberFailed. /log was supplied multiple timesFailed. /gpmode was supplied multiple timesFailed. /gpmode has invalid formatFailed to allocate memory for product codeFailed to set product code to %lsFailed to add an argument to the ignored list Failed to add a blank space to the ignored argument listUnrecognized argument %SFailed to get MSU file nameFailed to get MSU file name or KB numberFailed: /uninstall with /kb and /quiet options is not supportedFailed to show /extract not supported message boxFailed: /extract is not a supported optionCommand line is %lsFailed to get source lengthAppModule::CopyStringWithQuoteFailed to allocate temp buffer"%s"Failed to copy stringFailure returned by SystemParametersInfo()AppModule::CreateFontWFailure returned by CreateFontIndirectW()Failure returned by DeleteObject()Failure r

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\v74M\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\hxqisrGT\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\v74M\wusa.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\9Q3FqD\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AzSj\newdev.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QpqMx\RdpSaUacHelper.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\30KRxXoL\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QpqMx\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\CDG6Inqi\wscript.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\I3GPZ\wbengine.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\I3GPZ\wer.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe

Code function: 31_2_00007FF7D7EC3080 WinSqmSetString,IsIconic,ShowWindow,GetSystemMenu,CheckMenuItem,

31_2_00007FF7D7EC3080

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe TID: 6452

Thread sleep count: 32 > 30

Jump to behavior

Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Last function: Thread delayed

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QpqMx\RdpSaUacHelper.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QpqMx\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CDG6Inqi\wscript.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\I3GPZ\wbengine.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\I3GPZ\wer.dll	Jump to dropped file

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005C340 GetSystemInfo,

1_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D290 FindFirstFileExW,	1_2_000000014005D290
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6591BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	28_2_00007FF6D6591BC0
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6598D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	28_2_00007FF6D6598D04
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,	31_2_00007FF7D7EB1914

Source: explorer.exe, 00000007.00000000.302670174.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: 30d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.281611495.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000007.00000000.281611495.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000007.00000000.277518675.0000000006949000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.302670174.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.302670174.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000007.00000000.296064998.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.265136759.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000007.00000000.302670174.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000007.00000000.265136759.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000007.00000000.277518675.0000000006949000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002

Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe

Code function: 31_2_00007FF7D7EB8844 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

31_2_00007FF7D7EB8844

Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe

Code function: 31_2_00007FF7D7EC80EC InterlockedPushEntrySList,DecodePointer,GetProcessHeap,HeapFree,

31_2_00007FF7D7EC80EC

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,

1_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787784CE0 SetUnhandledExceptionFilter,	23_2_00007FF787784CE0
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787784AEC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00007FF787784AEC
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65A6830 SetUnhandledExceptionFilter,	28_2_00007FF6D65A6830
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65A6AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00007FF6D65A6AA4
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EE00E0 SetUnhandledExceptionFilter,	31_2_00007FF7D7EE00E0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDFCB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF7D7EDFCB0
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Code function: 36_2_00007FF6EE8A1810 SetUnhandledExceptionFilter,	36_2_00007FF6EE8A1810
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Code function: 36_2_00007FF6EE8A1AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00007FF6EE8A1AA4
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C02A808 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_00007FF61C02A808
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C02AAC0 SetUnhandledExceptionFilter,	38_2_00007FF61C02AAC0
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Code function: 41_2_00007FF6159D6630 SetUnhandledExceptionFilter,	41_2_00007FF6159D6630
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Code function: 41_2_00007FF6159D6340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_00007FF6159D6340

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: WTSAPI32.dll.7.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe

Code function: 23_2_00007FF7877752E0 calloc,CreateWellKnownSid,GetLastError,memset,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,CreateNamedPipeW,GetLastError,CreateEventW,GetLastError,free,LocalFree,

23_2_00007FF7877752E0

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D6597EE8 AllocateAndInitializeSid,GetLastError,FreeSid,LocalFree,

28_2_00007FF6D6597EE8

Source: explorer.exe, 00000007.00000000.255120482.0000000001400000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000007.00000000.255120482.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.255120482.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.255120482.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.294630190.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000007.00000000.265136759.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Queries volume information: unknown VolumeInformation

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe

23_2_00007FF7877752E0

Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe

Code function: 23_2_00007FF787784E70 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

23_2_00007FF787784E70

Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe

Code function: 38_2_00007FF61C022E44 GetVersionExW,SystemParametersInfoW,GetLastError,memset,GetVersionExW,memset,#460,PathFileExistsW,#65,

38_2_00007FF61C022E44

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Command and Scripting Interpreter12	Valid Accounts1	Valid Accounts1	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Access Token Manipulation11	Valid Accounts1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection313	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation11	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection313	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	System Information Discovery25	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing2	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Timestomp1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rPP7AHsBQt.dll	60%	Metadefender		Browse
rPP7AHsBQt.dll	76%	ReversingLabs	Win64.Infostealer.Dridex
rPP7AHsBQt.dll	100%	Avira	TR/Crypt.ZPACK.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\9Q3FqD\MFC42u.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\30KRxXoL\dwmapi.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\I3GPZ\wer.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\hxqisrGT\OLEACC.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\QpqMx\WINSTA.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\AzSj\newdev.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
28.2.wusa.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
23.2.RDVGHelper.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
31.2.Dxpserver.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.2.InfDefaultInstall.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.2.sethc.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
41.2.DevicePairingWizard.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll64.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.microsoft.coG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000007.00000000.298400230.0000000006840000.00000004.00000001.sdmp	false		high
http://schemas.microsoft.coG	explorer.exe, 00000007.00000000.302989833.0000000008CBE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492692
Start date:	28.09.2021
Start time:	22:57:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	rPP7AHsBQt (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@41/19@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 64.5% (good quality ratio 57.4%) Quality average: 83.3% Quality standard deviation: 34%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.209.183, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/492692/sample/rPP7AHsBQt.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	4CYPSBYNYQ.dll	Get hash	malicious	Browse
	RVoWoXkXlE.dll	Get hash	malicious	Browse
	DC2zX44MQr.dll	Get hash	malicious	Browse
	itB5x2K4T3.dll	Get hash	malicious	Browse
	hR33M29cgO.dll	Get hash	malicious	Browse
	ujc4RSCWM6.dll	Get hash	malicious	Browse
	VJRmwvPkMp.dll	Get hash	malicious	Browse
	zW80EdEp4O.dll	Get hash	malicious	Browse
	BUal7Z7t7a.dll	Get hash	malicious	Browse
	RG2JwdyFZp.dll	Get hash	malicious	Browse
	xmNOO4kr1W.dll	Get hash	malicious	Browse
	J68J8AW3wu.dll	Get hash	malicious	Browse
	eIqCS9Cchl.dll	Get hash	malicious	Browse
	0oSZeHvzK2.dll	Get hash	malicious	Browse
	6mRFq6lDxY.dll	Get hash	malicious	Browse
	hwhmwAJCgs.dll	Get hash	malicious	Browse
	FzIHOw5IB1.dll	Get hash	malicious	Browse
	TBt2yq48s1.dll	Get hash	malicious	Browse
	ElRN8C51mm.dll	Get hash	malicious	Browse
	peUe7aKWzZ.dll	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	107008
Entropy (8bit):	6.213211715541241
Encrypted:	false
SSDEEP:	1536:jZPv9YEIT8g15BZNWNBWNK5/FzUJmufD6o6ffv+Difx1P4dirH+Z3sUS+CvilU/s:lPBLBBbWDwff22J1Puq+y+HUk
MD5:	0BF1E2262C95164A0B244174167FBD85
SHA1:	81BD08AD31BF2665F298406F843924588BB7606B
SHA-256:	6B35C354C480D232A96EF73EABA268EF7D94F30A3D3A1161B69081B048A27E29
SHA-512:	FD01664A377359E72A67F52E8DFFDD237E24F8ACC158B3A478F71CAAC1CE2EDDB19B15E1FC66CB73E77DDED564D6A98FD3064BDA20419D8C949505457721BF5C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 4CYPSBYNYQ.dll, Detection: malicious, Browse Filename: RVoWoXkXlE.dll, Detection: malicious, Browse Filename: DC2zX44MQr.dll, Detection: malicious, Browse Filename: itB5x2K4T3.dll, Detection: malicious, Browse Filename: hR33M29cgO.dll, Detection: malicious, Browse Filename: ujc4RSCWM6.dll, Detection: malicious, Browse Filename: VJRmwvPkMp.dll, Detection: malicious, Browse Filename: zW80EdEp4O.dll, Detection: malicious, Browse Filename: BUal7Z7t7a.dll, Detection: malicious, Browse Filename: RG2JwdyFZp.dll, Detection: malicious, Browse Filename: xmNOO4kr1W.dll, Detection: malicious, Browse Filename: J68J8AW3wu.dll, Detection: malicious, Browse Filename: eIqCS9Cchl.dll, Detection: malicious, Browse Filename: 0oSZeHvzK2.dll, Detection: malicious, Browse Filename: 6mRFq6lDxY.dll, Detection: malicious, Browse Filename: hwhmwAJCgs.dll, Detection: malicious, Browse Filename: FzIHOw5IB1.dll, Detection: malicious, Browse Filename: TBt2yq48s1.dll, Detection: malicious, Browse Filename: ElRN8C51mm.dll, Detection: malicious, Browse Filename: peUe7aKWzZ.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..................g......g......g......g...........g......g.w....g......Rich...................PE..d......o.........."......B...b......`G.........@..........................................`.......... ..........................................................T...............$.......T............................g...............h...............................text....@.......B.................. ..`.rdata...A...`...B...F..............@..@.data...............................@....pdata..T...........................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.12006401986381
Encrypted:	false
SSDEEP:	12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	00AED0EC34CFF50E3619BF8D25D97B52
SHA1:	DBFAC54FBF1A32D749AA02C0BE92943FCEB27847
SHA-256:	F4DF23DDEDE2B0C6EAFE9CDD3B02A701F433CBCCD30E9E75D2F8B6E767C56D1B
SHA-512:	4F32E6C34262317DBDB0DCA25C62788AAE5F8E179A663DE0414F4EEE80BEAEB9E11B32FE6DBD00129896989ECB6D82A7F22D17EC5F301067860649DA6FFAF1F4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... .......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	304640
Entropy (8bit):	5.920357039114308
Encrypted:	false
SSDEEP:	6144:SidsFxbUPoT/FPrriCEe+oiXoGJm7JwQ9oWxDEHZwj:xaFxbFDBsBo6maPWxDcwj
MD5:	DCCB1D350193BE0A26CEAFF602DB848E
SHA1:	02673E7070A589B5BF6F217558A06067B388A350
SHA-256:	367CEA47389B6D5211595AE88454D9589AA8C996F5E765904FFEDE434424AF22
SHA-512:	ECD3C32E2BED31FC6328CA4B171B5D2503A2795324667F67FF48A67DF7C8B88760A62C0119A173487B9886E6AF3994025A85E42B064BEA38A466A6848AF65541
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9. E}.N.}.N.}.N...M.~.N...J.d.N...K.{.N...O.X.N.}.O.F.N...G.[.N....\|.N...L.\|.N.Rich}.N.........PE..d....z............".................`..........@..........................................`.......... ..........................................\|....0..H....... ...............p...`...T............................<...............=...............................text...<........................... ..`.rdata..6...........................@..@.data...............................@....pdata.. ...........................@..@.rsrc...H....0......................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\30KRxXoL\dwmapi.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.118074670013424
Encrypted:	false
SSDEEP:	12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	120EA6047784304E8B9D9B314F5A5F7A
SHA1:	D5AB85335BDF4D948E00BCE3FF956AE83290CB8F
SHA-256:	E2A042740FCFBFCFD12B5D4F078BD806A24BC434F01B881F3DB799AE72564AC6
SHA-512:	763498B2F8F4B1861E7AF7BC89488D3492FECF60A3175CAFEED5F3C5B4002C1266D22F28694D146CC075760BCF05324B9756255140D1AD697838692B3AB40D7E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... ..&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	92160
Entropy (8bit):	5.664138088677901
Encrypted:	false
SSDEEP:	1536:D/BmrFjio5/vzDSPwiEKi3xGyibqZ3qOT3:9mp5SwiEKWZiTo3
MD5:	E23643C785D498FF73B5C9D7EA173C3D
SHA1:	56296F1D29FC2DCBFAA1D991C87B10968C6D3882
SHA-256:	40F423488FC0C13DED29109F8CC1C0D2CCE52ECB1BD01939EF774FE31014E0F4
SHA-512:	22E29A06F19E2DA941A707B8DA7115E0F5962617295CC36395A8E9B2A98F0239B6519B4BF4AB1DC671DEF8CD558E8F59F4E50C63130D392D1E085BBF6B710914
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a...h...o......b......r......i......j...a..........c.....j.`......`...Richa...................PE..d...x.1".........."......\...........b.........@.....................................H....`.......... ..............................................................................\|..T...........................`r..............`s..8............................text....[.......\.................. ..`.rdata...-...p.......`..............@..@.data... ...........................@....pdata..............................@..@.rsrc...............................@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\9Q3FqD\MFC42u.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1806336
Entropy (8bit):	4.151016544012089
Encrypted:	false
SSDEEP:	12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Mh:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	3F5481C3CF2BB7FAAFEEFB882A08F15D
SHA1:	B4FB8B3B5DE6F799F30A7B16D69D7B14A8A99119
SHA-256:	A20E653ECB06D68CF4D410F1BF596E0D924ADC851E8287E140427D6382F9601D
SHA-512:	7115E2589D5195D04556909B122FDE4AC1B803343005159B274644535580F6A166C3CA16881DE70CBBE53E2F498FE27538786A129D52AE28B42089F4A3EBFDD1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." .........p......p..........@....................................@lx}..b.......................................... ...l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.871127662725052
Encrypted:	false
SSDEEP:	192:kXe0PT5V21py9AA/lvmBfXWqFwO6Wdz3ios9aW/GW:kXe5pgAMhAXWq6OFZcaW/GW
MD5:	5FDB30927E9D4387D777443BF865EEFD
SHA1:	E802BE85298183F050141EAEB87930657A8E07A6
SHA-256:	C57CE112AB04B00CC7270B6D76F005FFB8E2ED3ADC6904CF5C5F184EE077FA32
SHA-512:	776F5B5640C22373E641DE4C3C6F4C7DFF0CD39662108B8DFA070EE0A867B3A6401976BD2B78BC766D469105AF2E6E466C4140FFE40C49146BB6B09591676773
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............mo..mo..mo..j..mo..l..mo..k..mo..n..mo..mn..mo..g..mo.....mo..m..mo.Rich.mo.........PE..d......K.........."..........&......@..........@.............................p......?:....`.......... .......................................&.......P.......@...............`.. ....#..T............................ ...............!...............................text...@........................... ..`.rdata....... ......................@..@.data........0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc.. ....`.......2..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\AzSj\newdev.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.114146296909227
Encrypted:	false
SSDEEP:	12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	D3B5C0D22ED8729DA2FAD2B5D1E5932A
SHA1:	66679B519C5CB18C370DA672A9FC16A76CEEA6E7
SHA-256:	CFE9832E3DD1A7E2FEDAB63B25CB7C8EB95EFF8A0D5607B7D54C97258350EC7B
SHA-512:	9D2A70ECA5CDECE764EDFAE3D6C71B9D61E582469EDE505555068DBEF0FF006694550C7E653513C98BCC3B6363B8BD0549C8AB6B7159E08296845C64CED05367
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... ..]....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.112814429004735
Encrypted:	false
SSDEEP:	12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	422CF18F068925A7705B12D5EAB257B2
SHA1:	4E1B2934052304DABEC01A71EAD49AEFE67E7D12
SHA-256:	06778AE98D60D4D961C551CA1004830899F54BE06226E2249BF547F930BA43E1
SHA-512:	FEE21A47E88855116FE44A021F6F5BD4524568941FA54A552E857951E08A27E0869F102A45608AFB56C17D1120EA69116B5E0DF41DFF8FFD8002FB7FD0A0D4C7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... ..+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\CDG6Inqi\wscript.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	5.729539450068024
Encrypted:	false
SSDEEP:	1536:8HSpBlnak9UH8bCAHZ1LQ434syPz7M5hh/kzhwS827HuYHwHugXEYJ6S7775MWUn:aC4HWCp/fM5hvNebgXEYJN73uWUZxtt
MD5:	9A68ADD12EB50DDE7586782C3EB9FF9C
SHA1:	2661E5F3562DD03C0ED21C33E2888E2FD1137D8C
SHA-256:	62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED
SHA-512:	156CAED6E1BF27B275E4BA0707FB550F1BF347A26361D6D3CAD12C612C327686950B47B6C5487110CF8B35A490FAADC812ADE3777FFF7ED76A528D970914A6E0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................n.........Rich...................PE..d....U.E.........."......2...R......@*.........@....................................8w....`.............................................8...8...................................T.......T..........................................................................text..."1.......2.................. ..`.rdata..F....P.......6..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..T............t..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\I3GPZ\wbengine.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1535488
Entropy (8bit):	6.5079506357027785
Encrypted:	false
SSDEEP:	24576:UgSNpxTPrVDqUtzohGP5ilEI1T4N9sS4aC+369riDQMbbKoLtHWwtPJhVx8OIC9h:UtNpxTPrVuUtMhGRuEAc3sfaYhiDXmod
MD5:	6E235F75DF84C387388D23D697D6540B
SHA1:	A97DE324726F3ECBA383863CB643E4AD5DADB4DC
SHA-256:	7113DD02243E9368EF3265CF5A7F991F9B4D69CAB70B1A446062F8DD714AFC8E
SHA-512:	F294A7F7AD6FAD1E2F2E82123AFB78B76E56C603EF3FA37CDD73992DE91640EB55E2F002072DD57B850B1D7E9162F49B4DE973CFE71DF35DAD958B439E1F287A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|r..\|r..\|r..q..\|r..v..\|r..w..\|r..s..\|r..\|s..}r..{.M\|r..r..\|r.....\|r..p..\|r.Rich.\|r.........................PE..d...!............"..........z......p..........@.....................................v....`.......... .........................................\|............ ...u..................@...T....................=..(....<..............(=...............................text............................... ..`.rdata..b.... ......................@..@.data....&..........................@....pdata...u... ...v..................@..@.rsrc................Z..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\I3GPZ\wer.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1785856
Entropy (8bit):	4.122378222596304
Encrypted:	false
SSDEEP:	12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	6D04485BF586C674E145F2F40AB3C577
SHA1:	12065B852C5AAD44370755290123E4EEC3A0BFBA
SHA-256:	CC04B9DE9881C5F6B5B320AAE8CB4DE4CE2C7C32F8BBEC92C72DAD59F59685EE
SHA-512:	959D86E8CCB86137AA97F58C7B8424764EC0DEB524809505AFEF170097801389F78415AE4FDB439C3D2815D2BE797959FBF6DE15C48A18312D9C3723667D2C99
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ......... ......p..........@.............................@......@lx}..b.......................................... ..W....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\QpqMx\RdpSaUacHelper.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29184
Entropy (8bit):	5.483991269470949
Encrypted:	false
SSDEEP:	384:x1i6wkbsVQCy+MmItEV3DAOnKjXxyWzyWpaTeinj7qHk9FyMWagW:x1TwgsmCRMmIcTRnKbQW/kj7uk2U
MD5:	DA88A7B872B1A52F2465D12CFBA4EDAB
SHA1:	8421C2A12DFF33B827E8A6F942C2C87082D933DB
SHA-256:	6A97CF791352C68EFFEFCBE3BB23357A76D93CB51D08543ED993210C56782627
SHA-512:	CA96D8D423235E013B228D05961ED5AA347D25736F8DFC4C7FEB81BFA5A1193D013CD29AA027E1793D6835E52F6557B3491520D56DE7C09F0165F1D5C8FD9ED8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......& ..bA..bA..bA..k9..`A...%..cA...%..`A...%..pA...%..uA..bA...A...%..hA...%p.cA...%..cA..RichbA..........PE..d...?.1V.........."......6...>...... =.........@.....................................f....`.......... ......................................4k.......................................f..T............................U...............V...............................text....4.......6.................. ..`.rdata...'...P...(...:..............@..@.data................b..............@....pdata...............d..............@..@.rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\QpqMx\WINSTA.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1785856
Entropy (8bit):	4.130571614423483
Encrypted:	false
SSDEEP:	12288:vVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:GfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	5343AEA48CE4722D13097BBF228724E0
SHA1:	D2FA1C270C847B97C8C170C4D7EA2D80470600F7
SHA-256:	819E3D7921B463B88EBB76E6C7C97880A6CCFD5F4F530A4F707EC4D1B2143D7B
SHA-512:	322512540578740AF0AC1C4959B288A08B0CFB820FBE94852BB3F165A05A433911F92B8CAE10FEF67F973F53D5A8919954540D062E6B5A53CC67956438CBF35F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ......... ......p..........@.............................@......@lx}..b.......................................... ..m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\hxqisrGT\OLEACC.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.1144286325107045
Encrypted:	false
SSDEEP:	12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	40558B8832E21854D8782294C56CFF29
SHA1:	C0D4D63CF9B0803AA202861D6C6767E8C6DAB11D
SHA-256:	9201A707728F3D83E5787741F4FF978AF65DC004E85A51B0851B9DA53A4DA2DE
SHA-512:	8886F06A86DFD0F30DCC07E9179F68003EDEC537597BE16F36EC74750F95F2A21908F04F139FB09EC63F4C207599657D784026E6E07E78C48435F220E08EDD4D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... .......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\hxqisrGT\sethc.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	284160
Entropy (8bit):	6.85709982153028
Encrypted:	false
SSDEEP:	6144:z1dgUn5C1AlGr66uFz2LJGRg4kLNnei36cw:XiKFCdUc
MD5:	1C0BF0B710016600C9D9F23CC7103C0A
SHA1:	EFA944D43F76AEA0C72A5C7FB3240ADC55E7DAE8
SHA-256:	AEA110EE0865635EE764B1B40409DB3A3165E57EFFF4CAF942BCD8982F3063C5
SHA-512:	775F075A9D43A887B1AFB000E5E2CBC8EF514C4B1864C694977342307C61173DACC5BA8E5D47002870687B24914B3E6D2D0EB48BF99517822511A8BA2A122515
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r../6q.\|6q.\|6q.\|Y..}5q.\|Y..} q.\|Y..}1q.\|Y..}-q.\|6q.\|8p.\|Y..}$q.\|Y.[\|7q.\|Y..}7q.\|Rich6q.\|........................PE..d.... ............"............................@..........................................`.......... ......................................P........`..h'...P..................x.......T...........................0...............0................................text............................... ..`.rdata...j.......l..................@..@.data...8....0......................@....pdata.......P.......$..............@..@.rsrc...h'...`...(...,..............@..@.reloc..x............T..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\v74M\WTSAPI32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.120050321896044
Encrypted:	false
SSDEEP:	12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	9DDB78BD96C660A463481D09DD4F4564
SHA1:	1A01B02E0E8DD5E040EA22DDB751B8A0052823C1
SHA-256:	24D3AB5E4FD539E035CEB9FE4311C0F8DC19FEEE0C07C08429CAD81FEB386D19
SHA-512:	172A2B8CB9E650BBFF677263567B68132514BD23E2B21101037819A54F1B41B9A2983DA37D101B69E8A110C667CCB9A66DA00722A94F9DE4DBE79486D8D90812
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... .......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\v74M\wusa.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	308736
Entropy (8bit):	6.55894801361276
Encrypted:	false
SSDEEP:	6144:TozDd3UafMCFoMVclxM8cVM49UApxyN90vE:ToXd33MCFoqSxM5MmUAy90
MD5:	04CE745559916B99248F266BBF5F9ED9
SHA1:	76FA00103A89C735573D1D8946D8787A839475B6
SHA-256:	1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195
SHA-512:	B4D2EF6B90164E17258F53BCAF954076D02EDB7F496F4F79B2CF7848B90614F6160C8EB008BA5904521DD8B1449840B2D7EE368860E58E01FBEAB9873B654B3A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..-..~..~..~v./~}.~....}.~....i.~....{.~....d.~..~w.~....k.~..C~~.~....~.~Rich..~................PE..d.....TS.........."......`...X.......f.........@....................................g.....`.......... .......................................I...........T...p..................`....?..T...................Pq..(...Pp..............xq..@............................text...3^.......`.................. ..`.rdata..^....p.......d..............@..@.data........`.......T..............@....pdata.......p.......X..............@..@.rsrc....T.......V...^..............@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	4462
Entropy (8bit):	5.464123225028128
Encrypted:	false
SSDEEP:	48:eq8hbUtZS9Ok9c3cIz2XwQ8KdIoiIEOBAUq8hbU0C1Dtm+7bHjGo973/YVFJ:eV5iZL3d6F8mfNV59C1DtbPao9wVFJ
MD5:	AB09C0D653A04FE6626151A759C9807C
SHA1:	B672006CC0146E3408482C264F8C01EEAAA62843
SHA-256:	9BCAEE6BF895589362D63560EA6B703BDA67147311A2FABCDB1590FC19E09C09
SHA-512:	451CA012C1DB77B533FCAA32D7AEB6F2103621AE5855CFC15E7533500643AC7438A11437656486B9C06B0D00A63DF5D5AB28F0C99A9B0915C0BD57CF696BCBF2
Malicious:	false
Preview:	........................................user.........................................user.....................RSA1................9.h.U.......sr.k.....JAS..7#.Qt...{.....E.{./.O.........oO..pu..w.\R^._w.....k.....=5.c\IG.7E5@me...n....d."..bNd....x.S.....................z..O.......F..yQ.C..8..m......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...F.j5.._Z.LuT...OTfb...f.Q................ ..._1.S...]F.r..)..C[..N^.fxT.]N..........y.9..~...1...%.$.l<.5....2....z..Q.....#./..$4.......6...d[....Z?.D@..=.7.[....\......sU^.33.]\|....G..Tr...t.'&....f.f. .........g1..4....R...t0a.V.....rm.dZ....<..o..k;....us!.\|... .RM......r..A.>8%.q....Q..."...o.........0..-O.E........vU...;..._:`..+.:.......!.......G_......k._/.<..KP..n.3F..<.......o.+..... .&.tUx..>0.&..`Ar.,...\l..=..8.Y..#......I ..'.k4.W..(........."DQd.5G...-4.%{z.N..`...r..n......nF...x.8..1~..p`.s-...9.........=3..".E..E...)...VU.J.<o...?.z.g...`bt..K..D....G....\|..

Static File Info

General
File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	4.124181284517686
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	rPP7AHsBQt.dll
File size:	1777664
MD5:	6966f6e2c68c1f536d63b50bb966c031
SHA1:	c10eace5e0b5c0531895ed1d02332e3e8bd0fd32
SHA256:	67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804
SHA512:	365cefcf86f2d1b12e59d819c3dda9733003592a6a3cbf010b15d543547f2de2038dc659301a3f454881b76c644d929bb24c382bb70b349a621f95047457c19f
SSDEEP:	12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|.

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x140041070
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6668be91e2c948b183827f040944057f

Entrypoint Preview

Instruction
dec eax
xor eax, eax
dec eax
add eax, 5Ah
dec eax
mov dword ptr [00073D82h], ecx
dec eax
lea ecx, dword ptr [FFFFECABh]
dec eax
mov dword ptr [00073D7Ch], edx
dec eax
add eax, ecx
dec esp
mov dword ptr [00073D92h], ecx
dec esp
mov dword ptr [00073DA3h], ebp
dec esp
mov dword ptr [00073D7Ch], eax
dec esp
mov dword ptr [00073D85h], edi
dec esp
mov dword ptr [00073D86h], esi
dec esp
mov dword ptr [00073D8Fh], esp
dec eax
mov ecx, eax
dec eax
sub ecx, 5Ah
dec eax
mov dword ptr [00073D89h], esi
dec eax
test eax, eax
je 00007F6210C4591Fh
dec eax
mov dword ptr [00073D45h], esp
dec eax
mov dword ptr [00073D36h], ebp
dec eax
mov dword ptr [00073D7Fh], ebx
dec eax
mov dword ptr [00073D70h], edi
dec eax
test eax, eax
je 00007F6210C458FEh
jmp ecx
dec eax
add edi, ecx
dec eax
mov dword ptr [FFFFEC37h], ecx
dec eax
xor ecx, eax
jmp ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
dec eax
sub esp, 00000080h
mov eax, F957B016h
mov byte ptr [esp+7Fh], 00000037h
mov edx, dword ptr [esp+78h]
inc ecx
mov eax, edx
inc ecx
or eax, 5D262B0Ch
inc esp
mov dword ptr [esp+78h], eax
dec eax
mov dword ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[LNK] VS2012 UPD4 build 61030
[ASM] VS2013 UPD2 build 30501
[ C ] VS2012 UPD2 build 60315
[C++] VS2013 UPD4 build 31101
[RES] VS2012 UPD3 build 60610
[LNK] VS2017 v15.5.4 build 25834
[ C ] VS2017 v15.5.4 build 25834
[ASM] VS2010 build 30319
[EXP] VS2015 UPD1 build 23506
[IMP] VS2008 SP1 build 30729
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD2 build 60315
[C++] VS2015 UPD1 build 23506
[ C ] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1b1010	0x597	.bvk
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6390	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc1000	0x2324	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40796	0x41000	False	0.776085486779	data	7.73364605679	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0x64fd0	0x65000	False	0.702390160891	data	7.86574512659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa7000	0x178b8	0x18000	False	0.0694580078125	data	3.31515306295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbf000	0x12c	0x1000	False	0.06005859375	PEX Binary Archive	0.581723022719	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x880	0x1000	False	0.139892578125	data	1.23838501563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc1000	0x2324	0x3000	False	0.0498046875	data	4.65321444248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.qkm	0xc4000	0x74a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cvjb	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tlmkv	0xc7000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wucsxe	0xc8000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fltwtj	0x10e000	0x1267	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tblq	0x110000	0x5a7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hcmjm	0x111000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nagyk	0x157000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jrucz	0x158000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rnr	0x159000	0x3fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ths	0x15a000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vyfudm	0x15b000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bejn	0x15c000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lxdw	0x15d000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.uffn	0x15e000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cbmla	0x15f000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fcy	0x160000	0x451c2	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.aady	0x1a6000	0x706	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pqe	0x1a7000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zfem	0x1a9000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ila	0x1aa000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ygqg	0x1ab000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.onr	0x1ac000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.brn	0x1ad000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zch	0x1ae000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yithue	0x1af000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jxyn	0x1b0000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bvk	0x1b1000	0x5a7	0x1000	False	0.189453125	data	2.59802364405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc00a0	0x370	data	English	United States
RT_MANIFEST	0xc0410	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	LookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
SETUPAPI.dll	CM_Get_Resource_Conflict_DetailsW
KERNEL32.dll	DeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
GDI32.dll	CreateBitmapIndirect, GetPolyFillMode
CRYPT32.dll	CertGetCTLContextProperty
ADVAPI32.dll	AddAccessDeniedObjectAce
SHLWAPI.dll	ChrCmpIW

Exports

Name	Ordinal	Address
HidD_FlushQueue	1	0x14002b8a8
HidD_FreePreparsedData	2	0x14000f194
HidD_GetAttributes	3	0x14001cf34
HidD_GetConfiguration	4	0x14002d17c
HidD_GetFeature	5	0x140011ca4
HidD_GetHidGuid	6	0x140022f50
HidD_GetIndexedString	7	0x140005078
HidD_GetInputReport	8	0x14001a15c
HidD_GetManufacturerString	9	0x1400145b8
HidD_GetMsGenreDescriptor	10	0x140037ee0
HidD_GetNumInputBuffers	11	0x1400343e4
HidD_GetPhysicalDescriptor	12	0x140027ab0
HidD_GetPreparsedData	13	0x140034084
HidD_GetProductString	14	0x140027d6c
HidD_GetSerialNumberString	15	0x140035988
HidD_Hello	16	0x140033514
HidD_SetConfiguration	17	0x140032248
HidD_SetFeature	18	0x140020ee8
HidD_SetNumInputBuffers	19	0x140030554
HidD_SetOutputReport	20	0x1400156f4
HidP_GetButtonCaps	21	0x1400193b8
HidP_GetCaps	22	0x140039ad0
HidP_GetData	23	0x14002bd24
HidP_GetExtendedAttributes	24	0x14001ee98
HidP_GetLinkCollectionNodes	25	0x140039404
HidP_GetScaledUsageValue	26	0x14003af70
HidP_GetSpecificButtonCaps	27	0x14001f3dc
HidP_GetSpecificValueCaps	28	0x1400145b8
HidP_GetUsageValue	29	0x140004204
HidP_GetUsageValueArray	30	0x140037e78
HidP_GetUsages	31	0x1400066c8
HidP_GetUsagesEx	32	0x14002c62c
HidP_GetValueCaps	33	0x1400095a4
HidP_InitializeReportForID	34	0x1400143e0
HidP_MaxDataListLength	35	0x140020fbc
HidP_MaxUsageListLength	36	0x140006430
HidP_SetData	37	0x14002e6f4
HidP_SetScaledUsageValue	38	0x1400135d8
HidP_SetUsageValue	39	0x140011438
HidP_SetUsageValueArray	40	0x14001368c
HidP_SetUsages	41	0x140004f24
HidP_TranslateUsagesToI8042ScanCodes	42	0x14000d920
HidP_UnsetUsages	43	0x14001adc0
HidP_UsageListDifference	44	0x14001e5b8

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserv
InternalName	bitsp
FileVersion	7.5.7600.16385 (win7_rtm.090713-
CompanyName	Microsoft Corporati
ProductName	Microsoft Windows Operating S
ProductVersion	6.1.7600
FileDescription	Background Intellig
OriginalFilename	kbdy
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 22:58:31.326572895 CEST	61242	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:58:31.347534895 CEST	53	61242	8.8.8.8	192.168.2.7
Sep 28, 2021 22:58:44.796044111 CEST	58562	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:58:44.823921919 CEST	53	58562	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:03.568806887 CEST	56590	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:03.596216917 CEST	53	56590	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:35.400859118 CEST	60501	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:35.435148001 CEST	53	60501	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:36.148283005 CEST	53775	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:36.175223112 CEST	53	53775	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:36.242753029 CEST	51837	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:36.274801970 CEST	53	51837	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:36.888098955 CEST	55411	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:36.913045883 CEST	53	55411	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:37.426076889 CEST	63668	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:37.480443001 CEST	53	63668	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:38.216819048 CEST	54640	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:38.236216068 CEST	53	54640	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:38.768949986 CEST	58739	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:38.790724993 CEST	53	58739	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:39.499053001 CEST	60338	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:39.518876076 CEST	53	60338	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:40.348454952 CEST	58717	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:40.392605066 CEST	53	58717	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:41.128099918 CEST	59762	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:41.147383928 CEST	53	59762	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:41.619390965 CEST	54329	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:41.638657093 CEST	53	54329	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:42.464898109 CEST	58052	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:42.485603094 CEST	53	58052	8.8.8.8	192.168.2.7
Sep 28, 2021 23:00:24.683839083 CEST	54008	53	192.168.2.7	8.8.8.8
Sep 28, 2021 23:00:24.720098972 CEST	53	54008	8.8.8.8	192.168.2.7
Sep 28, 2021 23:00:31.477318048 CEST	59451	53	192.168.2.7	8.8.8.8
Sep 28, 2021 23:00:31.512187958 CEST	53	59451	8.8.8.8	192.168.2.7
Sep 28, 2021 23:01:00.877557039 CEST	52914	53	192.168.2.7	8.8.8.8
Sep 28, 2021 23:01:00.896600962 CEST	53	52914	8.8.8.8	192.168.2.7

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 5548 Parent PID: 3316

General

Start time:	22:58:35
Start date:	28/09/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll'
Imagebase:	0x7ff7ea5b0000
File size:	1136128 bytes
MD5 hash:	E0CC9D126C39A9D2FA1CAD5027EBBD18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4312 Parent PID: 5548

General

Start time:	22:58:36
Start date:	28/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Imagebase:	0x7ff7bf140000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2716 Parent PID: 5548

General

Start time:	22:58:36
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue
Imagebase:	0x7ff60f080000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.346721215.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5560 Parent PID: 4312

General

Start time:	22:58:36
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Imagebase:	0x7ff60f080000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.252486367.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3292 Parent PID: 2716

General

Start time:	22:58:38
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1748 Parent PID: 5548

General

Start time:	22:58:39
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FreePreparsedData
Imagebase:	0x7ff60f080000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.259769048.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5480 Parent PID: 5548

General

Start time:	22:58:43
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_GetAttributes
Imagebase:	0x7ff60f080000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.266794445.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: RDVGHelper.exe PID: 6456 Parent PID: 3292

General

Start time:	22:59:23
Start date:	28/09/2021
Path:	C:\Windows\System32\RDVGHelper.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RDVGHelper.exe
Imagebase:	0x7ff7f5b00000
File size:	107008 bytes
MD5 hash:	0BF1E2262C95164A0B244174167FBD85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RDVGHelper.exe PID: 6464 Parent PID: 3292

General

Start time:	22:59:24
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe
Imagebase:	0x7ff787770000
File size:	107008 bytes
MD5 hash:	0BF1E2262C95164A0B244174167FBD85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000017.00000002.375513310.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: wusa.exe PID: 6884 Parent PID: 3292

General

Start time:	22:59:36
Start date:	28/09/2021
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wusa.exe
Imagebase:	0x7ff6d6a20000
File size:	308736 bytes
MD5 hash:	04CE745559916B99248F266BBF5F9ED9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: wusa.exe PID: 6940 Parent PID: 3292

General

Start time:	22:59:37
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\v74M\wusa.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\v74M\wusa.exe
Imagebase:	0x7ff6d6590000
File size:	308736 bytes
MD5 hash:	04CE745559916B99248F266BBF5F9ED9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.402645228.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: Dxpserver.exe PID: 3476 Parent PID: 3292

General

Start time:	22:59:50
Start date:	28/09/2021
Path:	C:\Windows\System32\Dxpserver.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\Dxpserver.exe
Imagebase:	0x7ff639f30000
File size:	304640 bytes
MD5 hash:	DCCB1D350193BE0A26CEAFF602DB848E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: Dxpserver.exe PID: 4116 Parent PID: 3292

General

Start time:	22:59:52
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe
Imagebase:	0x7ff7d7eb0000
File size:	304640 bytes
MD5 hash:	DCCB1D350193BE0A26CEAFF602DB848E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.434908663.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: InfDefaultInstall.exe PID: 6700 Parent PID: 3292

General

Start time:	23:00:03
Start date:	28/09/2021
Path:	C:\Windows\System32\InfDefaultInstall.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\InfDefaultInstall.exe
Imagebase:	0x7ff703950000
File size:	13312 bytes
MD5 hash:	5FDB30927E9D4387D777443BF865EEFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: InfDefaultInstall.exe PID: 6708 Parent PID: 3292

General

Start time:	23:00:04
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe
Imagebase:	0x7ff6ee8a0000
File size:	13312 bytes
MD5 hash:	5FDB30927E9D4387D777443BF865EEFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.460431340.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: sethc.exe PID: 7036 Parent PID: 3292

General

Start time:	23:00:16
Start date:	28/09/2021
Path:	C:\Windows\System32\sethc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sethc.exe
Imagebase:	0x7ff64dfa0000
File size:	284160 bytes
MD5 hash:	1C0BF0B710016600C9D9F23CC7103C0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: sethc.exe PID: 7068 Parent PID: 3292

General

Start time:	23:00:16
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\hxqisrGT\sethc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\hxqisrGT\sethc.exe
Imagebase:	0x7ff61c020000
File size:	284160 bytes
MD5 hash:	1C0BF0B710016600C9D9F23CC7103C0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000026.00000002.487070134.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: DevicePairingWizard.exe PID: 6340 Parent PID: 3292

General

Start time:	23:00:30
Start date:	28/09/2021
Path:	C:\Windows\System32\DevicePairingWizard.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DevicePairingWizard.exe
Imagebase:	0x7ff61e4c0000
File size:	92160 bytes
MD5 hash:	E23643C785D498FF73B5C9D7EA173C3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: DevicePairingWizard.exe PID: 5596 Parent PID: 3292

General

Start time:	23:00:37
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe
Imagebase:	0x7ff6159d0000
File size:	92160 bytes
MD5 hash:	E23643C785D498FF73B5C9D7EA173C3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.533624086.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll64.exe PID: 5548 Parent PID: 3316 loaddll64.exeCOMMON

Executed Functions

Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON

Download Yara Rule

Strings

}*, xrefs: 0000000140049BDD
}*, xrefs: 0000000140049620

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: f218d88ecbe768a3c2e15b48e098ea3b44daa8c6dba81671f269a0c6fd7b68aa
Instruction ID: dfe71950bb4b00d773a2c1e4d7d9ca62016f185058a51a46645e99606ce0912a
Opcode Fuzzy Hash: f218d88ecbe768a3c2e15b48e098ea3b44daa8c6dba81671f269a0c6fd7b68aa
Instruction Fuzzy Hash: CDF2E476601B8481EB269F17D5503EE77A1F78EBC8F9A4025EB0A077B5DB38C945C348

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

FreeConsole.KERNELBASE ref: 000000014003704B
EntryPoint.RPP7AHSBQT ref: 00000001400370EE

Strings

)8GV, xrefs: 0000000140037008
d, xrefs: 0000000140037032

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleEntryFreePoint
String ID: )8GV$d
API String ID: 3550414006-3589632123
Opcode ID: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction ID: d510f836e5bc92855b025e221ee4853bd72dbb3d22a76ed0b2795177c136f2ac
Opcode Fuzzy Hash: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction Fuzzy Hash: 2C91983230064096EB26EB66D0513EE23A5AB9C7D4F914526BB1E47BFBEE34CA05C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 000000014005D101

Strings

sy;, xrefs: 000000014005C420
sy;, xrefs: 000000014005C9ED

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoSystem
String ID: sy;$sy;
API String ID: 31276548-3660992706
Opcode ID: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction ID: 6e6b9d6b41ba510f9365bd6ae70f9dc3139515c8db1fe8c3f4a6c85962f57752
Opcode Fuzzy Hash: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction Fuzzy Hash: 2A82DB72215B848AEB26CF27D4507E977E1F789BC4F498426EB4A077B6DB39C941C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON

Download Yara Rule

Strings

}*, xrefs: 000000014004C37C
}*, xrefs: 000000014004BDB0

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction ID: 589d9863290c94d963c78ae1aba4b537ce1e649f887b860e334c2c2edf70769e
Opcode Fuzzy Hash: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction Fuzzy Hash: B872E172211B8081EBA68F23D4547ED77A1F78DBC4F8A5125EB4A477B6EB38C944C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 000000014005D2ED

Strings

., xrefs: 000000014005D36A

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindFirst
String ID: .
API String ID: 1974802433-248832578
Opcode ID: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction ID: 4bac0f1caae8588fed560e2f4dd75fe3b4005a9d196e6938d52e54566134f4c2
Opcode Fuzzy Hash: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction Fuzzy Hash: C841A43260564085FB76DB26E1003AD73A1A748BF8F184713EF69177E9DB7AC982C742

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140026CC0, Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

)8GV, xrefs: 000000014002703B
)8GV, xrefs: 0000000140027120

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV
API String ID: 0-993736920
Opcode ID: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
Instruction ID: e7db99c2ed76c24e9271fdfca30502f9120cd4f12b6678b2f47d4e41cadbe873
Opcode Fuzzy Hash: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
Instruction Fuzzy Hash: 3BF18F7272064095EB52EB72D8913EE6365FB993C8F900426BB0E47AFADF34CA45C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006A4B0, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000000014006A550

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: c571d8b9788f13bc1a6c9d6d9ec75b3e860dc3d379630f9026fe8c942d3d5bbc
Instruction ID: ba306794fc56961ae9be9e8108b60f4a03202e28571258f9feaa1cffdeadac3d
Opcode Fuzzy Hash: c571d8b9788f13bc1a6c9d6d9ec75b3e860dc3d379630f9026fe8c942d3d5bbc
Instruction Fuzzy Hash: 25B16E36601B409AE712EF26D9403EE33A6F7497C8F645825EB4E47BA6DF38D524CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 0000000140048CDE

Part of subcall function 000000014005D1F0: FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindLoadNext
String ID:
API String ID: 50669962-0
Opcode ID: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction ID: 5bbbb247b64301f03cc62f5655f26b2922a91791dd430743fbd3ba68f8766a4f
Opcode Fuzzy Hash: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction Fuzzy Hash: 07819D3261568092FB22EB26E4513EE6365FBD83D4F814521FB4A57AEBEF38C605C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035270, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

ExitProcess.KERNEL32 ref: 00000001400354E1

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseExitProcess
String ID:
API String ID: 3487036407-0
Opcode ID: 6e17fe50e6f561acc205664f4a43b7bf662508175e8116978b7861a4b69f8d5b
Instruction ID: 3d479053040576d7404e3dfab4813d6254088c9544e20b556efee73ce8d776a8
Opcode Fuzzy Hash: 6e17fe50e6f561acc205664f4a43b7bf662508175e8116978b7861a4b69f8d5b
Instruction Fuzzy Hash: 5771BF32710A5096FB16EB72D4513EE2365AB883D9F844522BF5E53AFADF35C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046C90, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction ID: acc9ee73913d888b71121e4cedfe861758cf19cabea33dd7822bbf7d3cf7603a
Opcode Fuzzy Hash: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction Fuzzy Hash: 42E08CA1741A0041EF265276D0803A812809B4D7B4E194B209A7D0B3E0EA3888898716

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction ID: bccbce3911ab829ef3288d496869760cb1404da12fac801df191153d1e38d36e
Opcode Fuzzy Hash: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction Fuzzy Hash: 9172CD72601B9485FB26CF17D4503E967A1FB8EFC4F998426EB0A077A5EB39C945C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction ID: 84a8ec628d281786b49b5e6f6f6dec0d0376b1c45e732984354cafa0c8984479
Opcode Fuzzy Hash: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction Fuzzy Hash: D761947121164102FE76B72399047EE5292AFAD3E4F650B21BF6E47BF9EE38C9018740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140034870, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff70e36bafc14066583f36dccf9ed98aecf1f3ce13f55bc2722bc0c9a53d6bef
Instruction ID: 713527809b35fed6260ebd230ad48717dd4fa7a304d79e310e96a8de0daf9cee
Opcode Fuzzy Hash: ff70e36bafc14066583f36dccf9ed98aecf1f3ce13f55bc2722bc0c9a53d6bef
Instruction Fuzzy Hash: 5A717D32B04B4095FB12EBB2E4913DF67A5FBC8388F954025BB4957AAADF38D445CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061459
RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00000001400614B4
RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061539
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 0000000140061664

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction ID: 4377045c35190c944746a6ea10b9b47c13ce871b5e3b3a15cce40fdff127085f
Opcode Fuzzy Hash: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction Fuzzy Hash: 5BC1A43120568082FE629B16E8503EEA791E7C97E0F6C4A21FB6E47BE5DE78C941C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000285CE512252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00000285CE5123B0
VirtualProtect.KERNELBASE ref: 00000285CE512471
RtlAvlRemoveNode.NTDLL ref: 00000285CE5125B4
VirtualProtect.KERNELBASE ref: 00000285CE512677

Memory Dump Source

Source File: 00000001.00000002.273504834.00000285CE510000.00000040.00000001.sdmp, Offset: 00000285CE510000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 1ab35bc129e0daa2819b97579b77378d7eecfb05ad974f2127f8531f05d7c8a1
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 77B144BA619BD486D770CB1AF440B9EB7A1F7C9B80F108026EE8957B58DF79C8518F40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000000014005FA4B

Strings

4aX, xrefs: 000000014005FA09

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertString
String ID: 4aX
API String ID: 3907675253-4042356595
Opcode ID: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction ID: 5c7b4eddd96f597e19123db416744eb931adcf52cf9da5c093af566d74744993
Opcode Fuzzy Hash: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction Fuzzy Hash: EC216D72214B4582EA12EF66E1403DEB3A0FB8C7C4F844525EB8D07B6AEF39D625C745

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DAE0, Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction ID: c5574eec75406f68cf122a08b4571db932f63f1e1c7d3e43579234279b4bb767
Opcode Fuzzy Hash: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction Fuzzy Hash: A151D03130464182FA72EA63A4507EA77A2BB8CBD4F154527BF5A077E2EF7AC801C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DD30, Relevance: 3.1, APIs: 2, Instructions: 122fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 000000014005DDD8
ReadFile.KERNELBASE ref: 000000014005DE49

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction ID: 869152f87e2051f324d9e8f0f01270def7d2743b76a8e6c9a5e95a296a3a7e26
Opcode Fuzzy Hash: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction Fuzzy Hash: A541583161464087EA62DB3AA4447AAB3A1FBD87E0F144712BB6D4B7F5DF39C802DB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction ID: 944ab0cbe82d54181631abf043b2a82f72de4fdca767e43f24bb2c72b9c0c91f
Opcode Fuzzy Hash: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction Fuzzy Hash: 8D21B431214A4581EA72DB66A0407EA3795F78CBE4F184617EFAE077E5DF7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction ID: bee1728ae0ee1a0caa625709e376bb4aadd3217f15d1bcce0d190476addee932
Opcode Fuzzy Hash: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction Fuzzy Hash: BE21D332311A4581EA72DA66A0407EA3795B78CBE4F184527AF9D077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction ID: a00dbcca095f64b26cda9c271166364bdf2e86a9b80154192fb139b54d898421
Opcode Fuzzy Hash: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction Fuzzy Hash: 5521E532315A4581EA72DB62A0407EE3791F78CBE4F184517AFAD077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060D85
RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060DE8

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction ID: 09cc4365fb23fa9fe14c599ab373ea3e5ec1bde103bfdbf39ccb6e9a9538c2db
Opcode Fuzzy Hash: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction Fuzzy Hash: F521A37671569046EF52CB56E8003AFA391EB897F4F184621BF9C07BE8EA38D582C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction ID: 68fcab11a3bde380270331896f94efb0ab36e54eb9d04e7f46ecdc112822b6b1
Opcode Fuzzy Hash: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction Fuzzy Hash: 6821C132315A4541EA72DB62A0407EA3795F78CBE4F184627EFAD077E5DE7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046F60, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32 ref: 0000000140046FDE

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
Instruction ID: 560481d37deeb2f3cc02cd101c0a384bc9ca8e36dca6fa428839860d024f360c
Opcode Fuzzy Hash: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
Instruction Fuzzy Hash: EDA15D3271064099EB12EFB6C4913EE2365A7987C8F915126BF0D67AFAEF34C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNELBASE ref: 000000014005FEFE

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction ID: 2cd33cf12082532a652157af79f02d7873b375395221c82c38bac87e111ef697
Opcode Fuzzy Hash: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction Fuzzy Hash: 6E51B2326117408AEB66EB22A0013EE6291EB9DBC4F580535FF4E477E6DF39C802D790

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D1F0, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction ID: fe48dd106ee2d63de4642147a978de6f9e341aec22c75ad1205c2678dbe1ece1
Opcode Fuzzy Hash: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction Fuzzy Hash: 80115B7561034082FF76DA6691047E933E1EB697C8F051013EF59472E9EB36C8D2C751

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32 ref: 0000000140060C16

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction ID: 650aff04d41c3b1619de3e88208a4500c6b85af191ab70c767efd2679610bbe3
Opcode Fuzzy Hash: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction Fuzzy Hash: 1C112E72204B8486D7219F12E84039EB7A5F788B90FA89529EB8D43B58DF39D991CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046690, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlCreateHeap.NTDLL ref: 00000001400466DD

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction ID: 54976bf3431427af6da968cf6b263ec8d4a99ac7c2bea2f2fd5649cd882baac1
Opcode Fuzzy Hash: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction Fuzzy Hash: B901D635706A8082EB528712FA4039A73A0F78C3C4F198524EF884B7A5EF38C8518B44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046730, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 000000014004678C

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction ID: 7e2fcedd46cf55f04110c2a11ced308778be976df41b62f125aabd7639a18320
Opcode Fuzzy Hash: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction Fuzzy Hash: 70F0F878A4730141FE6A63B354543A511821FCC7C4F0E8834AF095B7A6EE38CD518699

Uniqueness

Uniqueness Score: -1.00%

Function 00000285CE512057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000285CE5129A8), ref: 00000285CE5120A7

Memory Dump Source

Source File: 00000001.00000002.273504834.00000285CE510000.00000040.00000001.sdmp, Offset: 00000285CE510000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: ec365f9c9a72c781c6a4f7dafc95fbee58d014dbdbd4f479cf9b75fb7db3cc7a
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 15313CB6615B9086D790DF1AE45475E7BA0F389BD4F209026EF8D87B18DF3AC446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000014002B6E0, Relevance: 8.2, Strings: 6, Instructions: 741COMMON

Download Yara Rule

Strings

4040, xrefs: 000000014002BB6A
3050, xrefs: 000000014002B992
GNOP, xrefs: 000000014002B9CB
0020, xrefs: 000000014002BB49
0020, xrefs: 000000014002B98B
3050, xrefs: 000000014002BB42

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0020$0020$3050$3050$4040$GNOP
API String ID: 0-829999343
Opcode ID: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction ID: 282167bc52f218920562f67345f8403ae15435ff558287d674a5e0b6e797f698
Opcode Fuzzy Hash: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction Fuzzy Hash: 4172507261068195EB22EF26D8913EE6365FB983C8F804016FB4E475FAEF34CA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140071DC0, Relevance: 5.7, Strings: 4, Instructions: 682COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000000014007213B
VUUU, xrefs: 0000000140072194
VUUU, xrefs: 000000014007211B
ERCP, xrefs: 0000000140071EED

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU
API String ID: 0-2165971703
Opcode ID: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction ID: a95f611128f1d5d13a9bca75b656ea52fec65ffdb08565925219bb8e60db198b
Opcode Fuzzy Hash: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction Fuzzy Hash: 2252BE727046848AEB6A8F6AD5503ED7BA1F3087D8F144116FF569BAE8D73CC981C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400667D0, Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

SW, xrefs: 0000000140066A1A
SW, xrefs: 0000000140066A69
SW, xrefs: 0000000140066CA6
SW, xrefs: 0000000140066C49

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: SW$SW$SW$SW
API String ID: 0-1120820918
Opcode ID: 517e9c748c7166ea23e42337479b6e8f1bff1248af9cf0015b4bedbae01fd632
Instruction ID: 5271b3b9b35d550c8de01999338ba1aa790ab169e66fccb1d44a6718ff6f2241
Opcode Fuzzy Hash: 517e9c748c7166ea23e42337479b6e8f1bff1248af9cf0015b4bedbae01fd632
Instruction Fuzzy Hash: 4C026D3170160146EB62EB73D8603EE2396AB9C3C8F554925BB4D87BEAEF35DA01C310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031DF0, Relevance: 5.3, Strings: 4, Instructions: 270COMMON

Download Yara Rule

Strings

GC,, xrefs: 000000014003216C
GC,, xrefs: 0000000140032008
GC,, xrefs: 0000000140031FC2
GC,, xrefs: 00000001400321D7

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,$GC,$GC,
API String ID: 0-2774350030
Opcode ID: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction ID: dd0ba4053c6bdb050c0e262549aa376da4335980b2dde8bb0cc8774c9fa84b1c
Opcode Fuzzy Hash: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction Fuzzy Hash: 39B14A3232168096EA16EB22D4513EFA765FBDC7C4F854425FB4E57ABAEE38C605C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140057950, Relevance: 4.5, Strings: 2, Instructions: 1977COMMON

Download Yara Rule

Strings

}*, xrefs: 00000001400579C0
}*, xrefs: 0000000140057F89

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: e9887d82a581d5bcb5ea5d841605ffb3677de7d06064effe96893209b5a6e0e0
Instruction ID: 7c281f25cbc51a2c663274e483e0a5d4adc9f9b548fde4e06667abda5a9e2262
Opcode Fuzzy Hash: e9887d82a581d5bcb5ea5d841605ffb3677de7d06064effe96893209b5a6e0e0
Instruction Fuzzy Hash: 6E03CB72201B8482EB26CF23D4543ED67A1F78DBC4F994416EF4A177A6EB3AC945C380

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400263C0, Relevance: 4.3, Strings: 3, Instructions: 519COMMON

Download Yara Rule

Strings

)8GV, xrefs: 0000000140026A4D
@, xrefs: 0000000140026B3F
)8GV, xrefs: 00000001400267B0

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV$@
API String ID: 0-2802744955
Opcode ID: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
Instruction ID: d4403fa2ef2757ed15b0d897a8d3d48ae9d82dee7601a7ae60b507309942f45e
Opcode Fuzzy Hash: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
Instruction Fuzzy Hash: 8F326E72610A8095FB22EB72D8513EE6365FB997C8F940026BB4E476FADF34CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400067B0, Relevance: 4.2, Strings: 3, Instructions: 406COMMON

Download Yara Rule

Strings

GET, xrefs: 000000014000688D, 000000014000689B
POST, xrefs: 0000000140006CF6
*/*, xrefs: 0000000140006D02

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: */*$GET$POST
API String ID: 0-3233530491
Opcode ID: f5c0abb872f3f3a9c24645541f102443df8f6c01efe130de31add9333cb11604
Instruction ID: 6cf15a5ed41f927c804a0d4041fd2741414eb33ceb6b5d93e391305a3a4948eb
Opcode Fuzzy Hash: f5c0abb872f3f3a9c24645541f102443df8f6c01efe130de31add9333cb11604
Instruction Fuzzy Hash: 57125C72610A8196EB11EF72E8913DE6765F7883D8F904122FB4E57AAADF34C249C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035520, Relevance: 3.9, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140035665
{QN, xrefs: 00000001400355E1
GC,, xrefs: 0000000140035622

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,${QN
API String ID: 0-3150587038
Opcode ID: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction ID: 9244b60d004d0bd22f383007071d62e4da67c70af0efad37e4d475a9577969ab
Opcode Fuzzy Hash: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction Fuzzy Hash: D851B3726017408AEB26AF72A0517DF3392EB98398F559529FB4E0BBE9DF39C401C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140025DB0, Relevance: 2.9, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

0, xrefs: 0000000140025FF4
GC,, xrefs: 0000000140025E65

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0$GC,
API String ID: 0-3557465234
Opcode ID: c501a18cd752f9cb014cd0278b4cdcaf861e6727db0c1722d954af001bda1d39
Instruction ID: 8e8f5bced65d739128878f1be46f709eb140c798bd495bd8ba2efbba04664ca7
Opcode Fuzzy Hash: c501a18cd752f9cb014cd0278b4cdcaf861e6727db0c1722d954af001bda1d39
Instruction Fuzzy Hash: 90F1C132705B8086EB56DB26A5503EE77A5F788BC8F544029FF8A47BA9DF38C845C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FB20, Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

cLpS, xrefs: 000000014002FB46
cLpS, xrefs: 000000014002FB76

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS$cLpS
API String ID: 0-581437482
Opcode ID: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
Instruction ID: d6b56411a1e340b191dd7f08d0c8a8920ca136b0ade9766ce73097337fe28e3c
Opcode Fuzzy Hash: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
Instruction Fuzzy Hash: F5916E32700A41A6FB12EB72D5513ED2366AB983D8F900126BF1D97AFADF34D919D340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140039140, Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

D, xrefs: 0000000140039B2B

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction ID: a2166a60d7ca2b4a0d1872d5e3506bb785f107662951e93f9f6f62b20c08bf0e
Opcode Fuzzy Hash: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction Fuzzy Hash: 32827E3222468186EB13EB26D4907EF6365FBD8794F904612FB5A47AFADF38C605C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C5C0, Relevance: 2.1, Strings: 1, Instructions: 865COMMON

Download Yara Rule

Strings

GET, xrefs: 000000014000C5D5

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GET
API String ID: 0-1805413626
Opcode ID: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
Instruction ID: e67aa13565bd515be4758c424d677281e7e48e69fdea67d752e56d6b70eb8f16
Opcode Fuzzy Hash: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
Instruction Fuzzy Hash: 7182CFB262568082FB52EB26E491BEE6761F7C97C8F851022FB4A576E7CF38C505C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015120, Relevance: 2.1, APIs: 1, Instructions: 555COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 000000014001530B

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnvironmentExpandStrings
String ID:
API String ID: 1839112984-0
Opcode ID: 45e4f39da0bad21561b5064be163dd8534aff24f975c135ffc3a62d6c7fd4cf0
Instruction ID: c0dbe0ee55e83fb6c0f3bef3624a57e5635b4c6ed11a4d6c977be8f15ec7e338
Opcode Fuzzy Hash: 45e4f39da0bad21561b5064be163dd8534aff24f975c135ffc3a62d6c7fd4cf0
Instruction Fuzzy Hash: CB427E32710A4096FB12EB72D4913EE6765EB983D8F814422BB4D4BAFAEF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019D20, Relevance: 2.0, APIs: 1, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a32b9ce1bb685620e39e08575ae203d18ff6a72e91932ff27c8b72503ae2f13
Instruction ID: abc698a25be580435ac5d46bd6b01b3c7dd535f90f9c32282677b8a643a0cbd6
Opcode Fuzzy Hash: 3a32b9ce1bb685620e39e08575ae203d18ff6a72e91932ff27c8b72503ae2f13
Instruction Fuzzy Hash: 3C427D3271068095FB22EB76D8513EE2361EB993C8F904121BB0E5BAFAEF79C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019580, Relevance: 2.0, APIs: 1, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc47b23165564b486feb3c8182ff2dab583dad21220a6b85b8bd8ac1698894f
Instruction ID: 0bcce83d19b55e388762cc41cc2fbdfa61478623d1bee2f25155124e52c32027
Opcode Fuzzy Hash: 3bc47b23165564b486feb3c8182ff2dab583dad21220a6b85b8bd8ac1698894f
Instruction Fuzzy Hash: 8A128E3271468095FB22EB72D8913EE2355EB997C4F804026BB4E5BAFADF35C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006EB0, Relevance: 1.9, Strings: 1, Instructions: 651COMMON

Download Yara Rule

Strings

cLpS, xrefs: 00000001400072A3

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS
API String ID: 0-2886372077
Opcode ID: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction ID: 96b4c198141fe6e7034ab14ad9d5ea3cda72442e6a1109ae0a48173783152c86
Opcode Fuzzy Hash: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction Fuzzy Hash: CF528D7272464092FA12EB62E8517EE63A5FB9C7C4F814022BB4E57BBADF38C505C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400139D0, Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

m, xrefs: 000000014001422E

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID: m
API String ID: 1964310414-3775001192
Opcode ID: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
Instruction ID: 0a9d90af75a6ede7406656d6adb6787827cf479cbe6b14872f7c626c13ea0b6d
Opcode Fuzzy Hash: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
Instruction Fuzzy Hash: 6A529B32710A80A6F74EEB32C5913EE7369F788384F904026AB2947AE6DF34D576C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D100, Relevance: 1.7, Strings: 1, Instructions: 497COMMON

Download Yara Rule

Strings

s( j, xrefs: 000000014001D128

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: s( j
API String ID: 0-1450404818
Opcode ID: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction ID: 6f5b3d0b06e06ce3defbe5b62ba999e8dce43b7996f1ec96da6707378b1ebcba
Opcode Fuzzy Hash: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction Fuzzy Hash: 14325632715B9085EB16EF66D8513ED73A5FB88B88F454026EB4E5BBAADF38C505C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140029780, Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

kw9b, xrefs: 000000014002989A

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumValue
String ID: kw9b
API String ID: 858281747-837114885
Opcode ID: 8fe5edd6d85ef5fb81b21d913d03357e3fdb124ed1fc83b54cb0e6b95d0cba36
Instruction ID: a79da12e532d7eb86b4034213f2927d281404f76e1d3d8be4d202bd2a10f559e
Opcode Fuzzy Hash: 8fe5edd6d85ef5fb81b21d913d03357e3fdb124ed1fc83b54cb0e6b95d0cba36
Instruction Fuzzy Hash: D622A03270064056FB22EB62E4513EE6361EB8C7D8F814625BB4E57AFADF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033BB0, Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

U, xrefs: 000000014003408F

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: c7c17b4a929c8fca42997e9228a0bf0b46a1d4db9eb13a9c52e903abf607145f
Instruction ID: 04dcf981b535b3d5a04f4e0f983876b723d65533687fb2a3abc72c4897885b35
Opcode Fuzzy Hash: c7c17b4a929c8fca42997e9228a0bf0b46a1d4db9eb13a9c52e903abf607145f
Instruction Fuzzy Hash: 7A22A032714A8095FB22EB76D4913EE2761EB993D4F900122BB4E5BAFADF38C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023530, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

Content-Type, xrefs: 000000014002385F

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Content-Type
API String ID: 0-2058190213
Opcode ID: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
Instruction ID: 8ed0294b40edec3e111ebf6e63eddced9ff886ac8d86313f53d4d34ac86a637b
Opcode Fuzzy Hash: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
Instruction Fuzzy Hash: D0128B7271064096EB26EB72D0953EE63A5EB9D7C8F804029FB4E576B6DF34C909C341

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400389A0, Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 0000000140038A46

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID: 0
API String ID: 3535843008-4108050209
Opcode ID: 5efda3073f98ba850d64a6a6b6fb973051fc5223a8b2b59b7862bd26d1a0a119
Instruction ID: 021d52728ad99ff4b45c00a2ee63d530dbb35c35c3e7b67721d4418a9cae59c0
Opcode Fuzzy Hash: 5efda3073f98ba850d64a6a6b6fb973051fc5223a8b2b59b7862bd26d1a0a119
Instruction Fuzzy Hash: A4D1483271064185EB22EB66D8503EF6365FB987C8F944421FF4E57AAAEF34CA05C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400205A0, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

, xrefs: 000000014002069B

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
Instruction ID: 091f4e73938a5afec608f70625f4eed5baac112ec883e15b973b01c59944fd94
Opcode Fuzzy Hash: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
Instruction Fuzzy Hash: 8FB1903271164156FB26EB72C0513EE2365A78C7C8F554429BF0E67BEAEE34D906C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EED0, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

, xrefs: 000000014002F04E

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction ID: 79bcb73a3e0a748e54816e3c2b9a8955141e4b7d1d3c260807ef7fd3e9233e09
Opcode Fuzzy Hash: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction Fuzzy Hash: 4681AF3171528042FA66AB63A5513EE6382BBDC7C0F954839BF0E57BEADE38C9019750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023140, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

tI*k, xrefs: 0000000140023300

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: tI*k
API String ID: 0-257501792
Opcode ID: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction ID: 2b3e36108f388e75195695150bf3b7502d87346db4925aa772ee75e92517338c
Opcode Fuzzy Hash: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction Fuzzy Hash: C891B332710A41C6FB12EB73D4913ED2365AB987C8F815026BF0E67AABDE34C605C391

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140078570, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00000001400785BF

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP
API String ID: 0-1384759551
Opcode ID: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction ID: 36d71a898891e4cfc692b0c24b63e4f8a605753b41eb4ec31f3d0d909baacb04
Opcode Fuzzy Hash: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction Fuzzy Hash: 8541C2677244554AE3189F2598213BE2391F7E8781B008838BBC7C3B99E97CCE41C754

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004F940, Relevance: .9, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdaca1a3c271cd417c85bb097e58509ad96e32764cb2952681562445dcde157
Instruction ID: fc2f62d5942ef41123ea32f2955be4f6aadf7052ab01c2248917173129c7cd0f
Opcode Fuzzy Hash: dcdaca1a3c271cd417c85bb097e58509ad96e32764cb2952681562445dcde157
Instruction Fuzzy Hash: 8A82BD72301B8486EB269F23D4503EE67A5F78DFC4F964022EB4A577A6DB38C945C384

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140053F20, Relevance: .8, Instructions: 808COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction ID: b1defcb4bfd3908c290bb80924a7f4486985742b072abc47c5e9bd5be53152ef
Opcode Fuzzy Hash: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction Fuzzy Hash: FF72CE32601BA482EB26CF17E4503ED77A5FB99BC8F9A4016EB49477B6DB36C941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction ID: 8249503d4e55669e8e7119aec1729776b7b2f3ca46fae70a891a003f6664f3d4
Opcode Fuzzy Hash: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction Fuzzy Hash: 3472DF32201B9486EB26DB17E4603ED77A5FB9DBC5F894012EB4A477B6DB3AC941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 4bce802a55eded36f570ef6d01a06ef35652310067493a148248f362802968e3
Instruction ID: 4fdb0601fab6f7a848b28641239d596080eab1ec2c6ff824b21f12e2ef69b5a1
Opcode Fuzzy Hash: 4bce802a55eded36f570ef6d01a06ef35652310067493a148248f362802968e3
Instruction Fuzzy Hash: 48722D32724A4095EB02EB76D4913EE6765EB983C4FC05012BB4E879BBEF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction ID: d53d10191d1a85c044aba7f3ec212ac92ce5176a248edb2932ce54add84afe44
Opcode Fuzzy Hash: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction Fuzzy Hash: 9D52BE72601B8081EB269F23D4543EE77A1F78CBC4F8A5426EB4A577B6DB38D845C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction ID: 9c06e88039ccf999e040ad7794a2e2d02b6699145a9792014979c24fd1337f6c
Opcode Fuzzy Hash: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction Fuzzy Hash: B4623CB76206548BD7668F26C080B6C37B1F35DFA8F25521ADF0A43799CB39D891CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003B220, Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction ID: acd1ff4a64a9c803ec812a22a8ce79600e1464d52fdb42fb628072365476121f
Opcode Fuzzy Hash: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction Fuzzy Hash: 64429E31301A8141FA23EB6698513EF6391EB8C7E8F544616BF5A5BBEAEE38C505C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140024440, Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction ID: 78f3400fd7e206f6a511ea736ed45412fb3e7259efd4ed926287f6c9bd4c6aa7
Opcode Fuzzy Hash: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction Fuzzy Hash: E6427C32204A8096EB66EB32D0513EE67A4E79D3C8F914026F79A876F7DF38C945C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018630, Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
Instruction ID: 8108868c1ca7c4f1afbe8bd34af9d7f1e96dfbbf12b1edd0cffad3fdf1fa0b6f
Opcode Fuzzy Hash: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
Instruction Fuzzy Hash: 3F429E3231068095FB22EB72D8913EE6765EB983D8F844122BB0D97AFADF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction ID: 183f2e46b23aa86a2c091461a645f9a581571388db0d92becfc597eb429af356
Opcode Fuzzy Hash: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction Fuzzy Hash: 0732AB3271064089EB16EB36D4513EE27A5EB8CBD8F555126FF0E877BADE38C4868340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf04223ec18bb60842fe7fa632ea836e81c8b6d6b17b3371276cc931bd38ff2
Instruction ID: 71edd40f2b1ab928f6f3b4ddf8d26af45cb7d1258c95c78617a62a1a74f3288a
Opcode Fuzzy Hash: baf04223ec18bb60842fe7fa632ea836e81c8b6d6b17b3371276cc931bd38ff2
Instruction Fuzzy Hash: BF32AC3261068195EB12EB26D4913EE2765FB983C8F814122FB4E57AFBEF38C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B120, Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction ID: 3ba19fba285517c5acd5c21b3c9b7592edaf423ca2de06bba8230fcf7af2400b
Opcode Fuzzy Hash: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction Fuzzy Hash: 3C429B72624A8095FB12EB62D4957EE2365FB983C8F814022FB0D57ABBDF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction ID: eb795f204498a8d956ef0de19ff8bd43d97085c04d8ed5933d3115b51340510f
Opcode Fuzzy Hash: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction Fuzzy Hash: 7022793270064186EA23EB2AD4957EF63A5EB88BD4F554626FF0A477F6EE34C506C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003A2E0, Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction ID: 697e8bd1027fccc09012cb901671f32632dfdae7722e2c733c5167ca59ce0a7a
Opcode Fuzzy Hash: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction Fuzzy Hash: AE227C3271064186EA23EB26D4513EF63A1FB89BD4F544625EB4A577F6EF38C50AC340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B390, Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction ID: 5c003effdee5129b35cf12aebe167f862a01b0c8d0d2f43ab9f1123e32a30f31
Opcode Fuzzy Hash: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction Fuzzy Hash: 8C0203B21082A489F7768B26C9413FA7BE2E759788F254906FB8A435F5D738C9C1D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction ID: c2c66f55aa66479377f68c186b881699d763759fa92e2ffabb716b860ed1a50b
Opcode Fuzzy Hash: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction Fuzzy Hash: CD224D72710A8091EB12EB72D4913EE6765FB987C8F904116FB4E876BAEF38C245C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction ID: 217fabc6e38e1d640ccd999207fddb20e056db183073941d35cbdb4b11e649c3
Opcode Fuzzy Hash: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction Fuzzy Hash: 10229B72620A8091EB12EB62E4957EE2365F79D7C4F814022FB4E576BBDF38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction ID: 3448a1cfdf5732c1482eebf940cb1862e5db89764351cf67f11e8459266109f6
Opcode Fuzzy Hash: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction Fuzzy Hash: CD026C727006418AEB12DF26D4907EE73A6F788BC4F614525EB0E977AADF34D90AC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction ID: a963730c34943060851cd64ea719675db259de8104656558a9074d2de6a51302
Opcode Fuzzy Hash: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction Fuzzy Hash: 41128F7222468096FB52EB22D4917EE6765FBD93C8F811022FB4E57AABDF38C505C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069010, Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: bc4fe18ed797083e74f4d5cd17e8a6e4e1d5126150df91a93b346629e9c3d65f
Instruction ID: 5afa6d75f76fbbc9d7f53df6043056336d1db5d7591574d5123318d553f9c856
Opcode Fuzzy Hash: bc4fe18ed797083e74f4d5cd17e8a6e4e1d5126150df91a93b346629e9c3d65f
Instruction Fuzzy Hash: 19124E3272469096EB12EF72D8913DE6765FB987C8F815022BB0D57AABDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E170, Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 6fe5d38ad1f8690ed4216c8729f4cdddbe586800c401b9c27fb863a53c2b00d8
Instruction ID: ac8bef764291a5126b18a53dad73757551fec454a5992e6944e07fe4b855ac86
Opcode Fuzzy Hash: 6fe5d38ad1f8690ed4216c8729f4cdddbe586800c401b9c27fb863a53c2b00d8
Instruction Fuzzy Hash: 2A023B32724A80A2FB52EB72D4913EE6764FB983C4F815022BB4D57AEADF35C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FEC0, Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction ID: b67327a95b15ec145a913cc43aeca3e3a8a77925bd43874970612b3ea802a6ff
Opcode Fuzzy Hash: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction Fuzzy Hash: A802707272064095EB02EB66D4913EE6765FB987C8F905022FB4D83ABBEF34C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002980, Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 4f031dda890f5b6590393d19acee77402144b9c4bbfec744419d7f2e8af65a5e
Instruction ID: 5d574d698b33f004de0812fa71b34c36bbdae31478704d480fb686f148b39898
Opcode Fuzzy Hash: 4f031dda890f5b6590393d19acee77402144b9c4bbfec744419d7f2e8af65a5e
Instruction Fuzzy Hash: EB024C72324A8096FB12EB62D4913EE6765EB983D4FC15022BB4E57AEBDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018F80, Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8c2c1811faa848f940e4a298acd31fbb5db82ef74365df61737aab6befccc0
Instruction ID: d38a929efe70148cd0bcafb05e8c0916e90d43f0c382b2c9e415ecaf47ade149
Opcode Fuzzy Hash: ae8c2c1811faa848f940e4a298acd31fbb5db82ef74365df61737aab6befccc0
Instruction Fuzzy Hash: C8F16D32610A8095FB12EB76D8513EE6365EB983D8F940521BB0E57AFBEF35C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010880, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction ID: f0fb79f68922493fed5bc905321703954c20a875d362dace52344ff7232635a8
Opcode Fuzzy Hash: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction Fuzzy Hash: D7029272320AA19AEB42DF36C8917EE2724F748789F805016FF4B57AAAEF35C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D910, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: 5ad00df89051eaa49967073b66a19c6f1da8073d71a21332a449de5316238ce7
Instruction ID: 9c3e8f75c9e591130820bb2956cb3806339feb13e112d9af22726fcddd3bd126
Opcode Fuzzy Hash: 5ad00df89051eaa49967073b66a19c6f1da8073d71a21332a449de5316238ce7
Instruction Fuzzy Hash: 12026C32314A8095FB52EB72D4917EE2765EB983C4F805022BB4E97AEBDF35C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033540, Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e6d31ae123d367ae286cc33ede5adb79100aa8ca1f635c4c03776b42ffb831
Instruction ID: d0d419901b6e3c3183ee3913f1137c5e588d0fadc92f77f7791849e6aeb29d3b
Opcode Fuzzy Hash: 46e6d31ae123d367ae286cc33ede5adb79100aa8ca1f635c4c03776b42ffb831
Instruction Fuzzy Hash: 8A029132614A8095EB22EF32D4913EE6765FB98388F904412FB4E57AFADF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a271461545f8d7b832081a624fb0379c86db8b71a6fcc540a55edf685f09f5
Instruction ID: fccd9241a873054b7c24d42fb58abb6f012b2f7f19fe3a4c061a127f88627f2a
Opcode Fuzzy Hash: e2a271461545f8d7b832081a624fb0379c86db8b71a6fcc540a55edf685f09f5
Instruction Fuzzy Hash: 41E18E3271068095FB12EB76D8917EE6765EB983C8F804021BB0D5BAEBEF35C645C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
Instruction ID: 02ee9b89192d395c78975687d30e6fb06be8b995001c736011e159ca0d17724c
Opcode Fuzzy Hash: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
Instruction Fuzzy Hash: E2E13D32714A4095EB02EB66D4913EE6765FB983D8F900012FB4D97AFAEF34CA49C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31cd9d0c2abe67ba1f982af43b8ae355da1bd35b9ac6401d5f88127279679d0
Instruction ID: 95da75048f27146dafc5de9d612871b80806eb61125b8034b1f63b71f4cba504
Opcode Fuzzy Hash: e31cd9d0c2abe67ba1f982af43b8ae355da1bd35b9ac6401d5f88127279679d0
Instruction Fuzzy Hash: 47F12C3262498096EB12EB62D8513ED6365FBD8388F814522BB4E479FBEF74CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ffde5285e374d450e796d5cd304a5fa7d017e996fe3ac39e62eede96bb0df1
Instruction ID: cf5fdc312f2229dc6ff813412d90ddbabd12b8e4de7574aebc9877f7d05b411a
Opcode Fuzzy Hash: 88ffde5285e374d450e796d5cd304a5fa7d017e996fe3ac39e62eede96bb0df1
Instruction Fuzzy Hash: 28D19032711A4195EB12EB76D4903EE23A1EB993C4F844425BF4E57BEAEF38C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064080, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction ID: bf23390ce128f79092fde7b2b9043ef6653a4f1b38eae35900255c6e9c132ad5
Opcode Fuzzy Hash: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction Fuzzy Hash: ABC1D4231282D04BD7569B3764503FAAE91E79A3C8F280655FFC997AEBD63CC2149B10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
Instruction ID: d0d512be425b72175eef7d799d9923e381f6a995b1e0446f0295c878f1c0c086
Opcode Fuzzy Hash: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
Instruction Fuzzy Hash: CED13972724A4091EB02EB76D4913EE6765F7983C8F904016BB4D97ABAEF38C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140030530, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction ID: 96955b53f7f5b4430e01eb0035ad3df088e7672fa3a311151148bede835f9000
Opcode Fuzzy Hash: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction Fuzzy Hash: E7C16136B0564089FB22EB76D0613EF27A1AB9C388F554425BF4E976FADE34C506C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A110, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: f2e071e7f6ab674ec47851a4750d1b7c0b6bf997477befec93a155f2d50e3c60
Instruction ID: 08807915bc927436db1a901aa043915a979950c5e23cf508b5f0d65b77d78aa9
Opcode Fuzzy Hash: f2e071e7f6ab674ec47851a4750d1b7c0b6bf997477befec93a155f2d50e3c60
Instruction Fuzzy Hash: 0CD17032614A8096EB02EB26D4513EE6364FBD97C4F815122FB4D57AEBDF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F490, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction ID: f96005f1b71c62cd91ec633b0fa556b6f093996ab6e40a041e3cbd638a23d0d9
Opcode Fuzzy Hash: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction Fuzzy Hash: C1C1BD3270164096FB12EF76D4413ED23A4EB883A8F484622BF2D57AE6EF38D955D350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction ID: 38de139323f3e079e5738bdd278af51575638bb101dd3218b17e6965c0953cb4
Opcode Fuzzy Hash: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction Fuzzy Hash: 1DB16A3671062094FB46EBA2D8A17DE2365BB89BC8F825025FF0D67BA7DE38C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031540, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f425d040841da7f8aca5576ff87e7ae9262ef18f39f843680b29a7b76c8902f7
Instruction ID: bfe4e87f351d28bd3d3693bc96d2151355ab9388d993d4a46e39ffd0a3f78ad6
Opcode Fuzzy Hash: f425d040841da7f8aca5576ff87e7ae9262ef18f39f843680b29a7b76c8902f7
Instruction Fuzzy Hash: E6C16332704A809AFB22EBB2D4513EE2365AB9C3D8F854521BF1E676EADF30C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction ID: f23c3879964f3f83b961310f1bad7f7be1ef7afa2b68ec7d59790f469601a501
Opcode Fuzzy Hash: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction Fuzzy Hash: A9A10231211E8145EBA79A2798543EF27A6AB8C3D4F645825FF0E5B6E9EF34C901C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction ID: c0d98bc7e162404dc537a7c1af49e5fbe25e03b535df8b2493956c53732576b9
Opcode Fuzzy Hash: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction Fuzzy Hash: B2A114F31182A486FB778A2685413FA7FE2E719789F254402FB8A435F6C63CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066020, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction ID: d17e179c4ad3c1814a715198efb3da372d22ab0628f3c9d9f6a3a053a6971865
Opcode Fuzzy Hash: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction Fuzzy Hash: 79A1903271164045EB22EB7298507EE67E6AB9C3C8F550925BF4D47BEAEF34CA068310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction ID: 7cb660c1bafc6db3c15f0a4866a94b05aa7759728bb06ab0739d07cd917ce7e2
Opcode Fuzzy Hash: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction Fuzzy Hash: 33B18C7262464191EB12EB62E4913EE6365FB9C7C4F801022FB4E47ABBDF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction ID: ff1b56ecf022c2229069a5389c0477a62f006b84fd5f9f69eebb894724ab9066
Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction Fuzzy Hash: 44A125F21182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B424, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction ID: f965aa676d2cc64f6a485257af634002c7fef1377d4791c8bed9b1b7e56d6411
Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction Fuzzy Hash: 79A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction ID: 86c182e730ead1fa639f737d8458d4edb1cdee6041daaa12aedc2aef895c7c0c
Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction Fuzzy Hash: 83A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B436, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction ID: 7a8579acbe1e06e5dcc528155c10978c06d1d02f61772b3afab02cdca005db6d
Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction Fuzzy Hash: 3EA115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B446, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction ID: 9b5f4d2890da7bc9148b0c777fb781a5a0913674a9f0c1f21bc34f13756e8484
Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction Fuzzy Hash: 37A114F31182A489FB778A2685413FA7FE2E719789F254402FB8A475F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08ee0d756057847edd0d181a5b9af1eeafec0c3c2ab46f94514504cf2ba2413
Instruction ID: 9e8436de532ad8a8b9d83a7ce7f67d33a1e65f1b543d517c902b78be038a8119
Opcode Fuzzy Hash: f08ee0d756057847edd0d181a5b9af1eeafec0c3c2ab46f94514504cf2ba2413
Instruction Fuzzy Hash: 6FA19F3271464095EB22EB72D4913EE63A5A78C7C8F914426FF0D57AFAEE38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001010, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction ID: 891caef274385c1d9a1a05b5f8e139ad0eea2bdcde326525a3acf11d5ee056db
Opcode Fuzzy Hash: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction Fuzzy Hash: 79918D7270164095EB16EF66E4507EE23A5ABDC7C4F448425BF4E97BA6EE34C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7007dcec79cbd028848c0e6b5f903ec75487d0d5c02af892f7002b917e7028
Instruction ID: 09ec91f3f7d35e473cfa3e72b303784d96220d522314983c3d838af10b8059fe
Opcode Fuzzy Hash: 2f7007dcec79cbd028848c0e6b5f903ec75487d0d5c02af892f7002b917e7028
Instruction Fuzzy Hash: C4A16E32314A8095FB22EB72D8513EE2365EB987D4F940426BB4D57AFADF34CA05C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018300, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction ID: 9282ef7f3f2e177ec3162a27807bc3d77d508fe5c2bed51c5ff564ba7b898efa
Opcode Fuzzy Hash: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction Fuzzy Hash: 99912232B15A4099FB12EBB2D4913ED23659B9C7C8F814525BF0DA76EBEE34C609C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 32bffcc2ddfcb3d691dc0d2c9b892c77d94147a7b8145dc7682b20892f7e7318
Instruction ID: a01e236db0e61280ae7bc249da652572acbbc64743681568c883ee8cb5c556df
Opcode Fuzzy Hash: 32bffcc2ddfcb3d691dc0d2c9b892c77d94147a7b8145dc7682b20892f7e7318
Instruction Fuzzy Hash: D7916C3272468092FB12EB62D4957DE6365FB9C7C4F811022BB4D43AABDF78C544CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003EFB0, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction ID: 2085d5fbde7ab3b46fd7c59f247d5158c6ccb74e37f4a5dfc0e2ff2c0c09d730
Opcode Fuzzy Hash: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction Fuzzy Hash: 87814F36204A85C6EB679B2BE9403AF6B61F38DBD0F594512EF9A477B5CE38C442D310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400276C0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction ID: bfac23c94d9038130fb0cc9f6c7292f6f1aa2b418e68c536fc9a693e481bc66c
Opcode Fuzzy Hash: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction Fuzzy Hash: 1E91B13270164096FB22EB22D4517EE23A0EB9C3C8F855426BB4E57AFADF34C944C351

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction ID: 348a5c641c523964159132b8cb670365254cd557f13034448bd6fc243d7f1d42
Opcode Fuzzy Hash: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction Fuzzy Hash: AB81503271064095FB12EB76D8913EE63A5AB9D7C8F944621BF0D4BAEAEF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016100, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a72caf03c22970d4fef77dedbe1bee6898f8b085468b7394fac77d0cc2e7ab
Instruction ID: 4362bffb4ce140633d60009826b42a117c21897de7dbf4a94b418fc321f1d931
Opcode Fuzzy Hash: c5a72caf03c22970d4fef77dedbe1bee6898f8b085468b7394fac77d0cc2e7ab
Instruction Fuzzy Hash: 35812032714A809AFB12EB72D4513ED2365EB9C388F814425BB4E67AEBEF35C605C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032650, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2ea0aee7501054cc679b21b17b3ec8bdf9c6d9fd89a4ddb5a7d9a4c31d441e67
Instruction ID: a8b049447ef23dc7a2f3147d56ae0c312f8ac6a7955db6ed7517384e00930876
Opcode Fuzzy Hash: 2ea0aee7501054cc679b21b17b3ec8bdf9c6d9fd89a4ddb5a7d9a4c31d441e67
Instruction Fuzzy Hash: 0371893270264096FB66AB7294503EE6391EB9C7C8F054526BB1D47BEAEF39C905C360

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction ID: 4c1290556f20f3e20b66d81894b0d385f6ea8bc2319cc982c81cb2944955426d
Opcode Fuzzy Hash: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction Fuzzy Hash: 6E61B031301A4041EA66E737A9517EF97929F9D7D0FA44621BF5E877FAEE38C9028700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D850, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction ID: 50d9e92313d7fbe24902196c924c1612cff9653e99501bbf2772a847790ebefc
Opcode Fuzzy Hash: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction Fuzzy Hash: 7D618D3271464496FB22EB72C0913EE23A5ABDC7C8F854422BF4D57AEAEE35C501C791

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001620, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction ID: f8f81a1e6eeb4aa67bd22a5a7a70358e1ddf5b3241a247c9d5674b6b5ab46101
Opcode Fuzzy Hash: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction Fuzzy Hash: 9061C43262465091FB21EB26E0517EE6360FBCD7C4F815122BB5D47AEAEF79C541CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2d057d9775497d8ce77184132c21eb618076589cfab5adda7cc754a5fd0d3834
Instruction ID: f33abad4c1c8ba015261be05896130ca5dc3e7c07ce7e813c180037223ea8262
Opcode Fuzzy Hash: 2d057d9775497d8ce77184132c21eb618076589cfab5adda7cc754a5fd0d3834
Instruction Fuzzy Hash: 08718E32714A809AEB12EF76D4913EE7761F798388F844026FB4D47AAADF74C548CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: d3a452de0128449f2e5039728471469ce51d7081f01deae87ca1d54060856238
Instruction ID: 125c4d10a522e701d1fb6d0f1aef761f583aa31ccbb75f1db25899523a723602
Opcode Fuzzy Hash: d3a452de0128449f2e5039728471469ce51d7081f01deae87ca1d54060856238
Instruction Fuzzy Hash: 0151633271468052FB22EBB6E4513EE6761EBD83C4F951122BB4D47AEADE38C544CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022730, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction ID: af2d80f9b144edbe9aa630ca6e788b257520dbedf888a3db325da96401233726
Opcode Fuzzy Hash: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction Fuzzy Hash: FA612832600B8085E755DF36A481BDD33A9F78DB88FA84138EF990B36ADF318055D768

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031340, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction ID: 50cb9f747c07e87171e39f534f7bbd71060f83f950b2ada1a46c15cbddfc577a
Opcode Fuzzy Hash: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction Fuzzy Hash: A0511B32700A4096FB12EB76D4917EE2365AB9C7C8F954421BF0DA7AEADF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002F840, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction ID: 9602d307e9de31d357e639a9611a18ab9b6f2b9e1d5f0c6a8a00986c6f50d329
Opcode Fuzzy Hash: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction Fuzzy Hash: 7F51AD32200A40A2EA22EB22D9957FE63A5F7DC7D0F854626FB0D836B6DF34C556D710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: d96108c4bde49195b51d10af4498cce92db92bc86361a98dabd69ade9e6efc75
Instruction ID: aca98edda921e0e11dbb2b437e66833b6d9475281c93859f86ded24665675a69
Opcode Fuzzy Hash: d96108c4bde49195b51d10af4498cce92db92bc86361a98dabd69ade9e6efc75
Instruction Fuzzy Hash: E5516E3271465095FB52EB76E4913EE6761EBD8388F850026BB4E479EADF38C948CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060FE0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction ID: 51a026cb75a50cc44213724d5bb8c382370875f63e51d6fdf42d7c4c4c07ed92
Opcode Fuzzy Hash: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction Fuzzy Hash: 5D415F32B1066095FB12E77798517EE23A2ABCD7C4FA94421BF0E57AEBDE34C5018354

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction ID: fec891e6c53086f7b9094a78f95b73510c7007b912bc3ef8a41aa8e11e9acb14
Opcode Fuzzy Hash: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction Fuzzy Hash: 01413D31B2066095FB12EB7798513EE13A6ABDC7C4F994421BF0E97AEADE38C5058314

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction ID: 4d6ce7f696a26fe9a74b6bb9734e6d6bbac3d85ccec2ef1c97bdec5ab73240ea
Opcode Fuzzy Hash: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction Fuzzy Hash: FC51D732610B9085E785DF36E4813DD33A9F748F88F58413AAB8D4B7AADF348152C764

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400286B0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction ID: a9185cf0004c76bb3001b2cb896eaa84c5f9aff40342764b4326ba4d96cea24c
Opcode Fuzzy Hash: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction Fuzzy Hash: 9F514632310B81A2E74EDB32E5813D9B369FB8C384F908415EB9813AA6DF35D676D704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022340, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction ID: 1e1e8128ca37617077ad8d3bddb138d765a5f71e348f586f351b06e9a9582713
Opcode Fuzzy Hash: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction Fuzzy Hash: 5C51C773611B9085E745DF36E8813DD37A8F748F88F58413AEB894B6AADF308156C760

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction ID: 5f416d68214368cc8d497caad67b5ad9eebcd67f96a0df70edf52f54e079c757
Opcode Fuzzy Hash: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction Fuzzy Hash: DE31F53221099842FBA6471B9C613F93292E79C3E4F649625FB8E537F4D67DC8038B80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005370, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction ID: 604a730c127844f2816d2636316060c5dd02da03d6f4240a24423d76594c64fe
Opcode Fuzzy Hash: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction Fuzzy Hash: 55313F32610B9091E749DB36D9813DD73A9F78CB84FA58526A39847AA6DF35C177C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007EA0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.273227882.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273347465.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.273362484.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.273369776.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction ID: 1d8fa33d8030516f9812c7435f1c2f5fee2e6c5a40d503ba1f82db291cb841dc
Opcode Fuzzy Hash: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction Fuzzy Hash: 7131DC32600B4080E745DF3699813EDB3E9FBACB88FA9853697484A9B6DF35C157D310

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2716 Parent PID: 5548 rundll32.exeCOMMON

Executed Functions

Function 000001EEC43D2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001EEC43D23B0
VirtualProtect.KERNELBASE ref: 000001EEC43D2471
RtlAvlRemoveNode.NTDLL ref: 000001EEC43D25B4
VirtualProtect.KERNELBASE ref: 000001EEC43D2677

Memory Dump Source

Source File: 00000004.00000002.347302170.000001EEC43D0000.00000040.00000001.sdmp, Offset: 000001EEC43D0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: a6638a2d802f72be57fbd19b7251d8046af403f044c660952e77bffda050ff69
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: CBB14476618BD486DB70CB1AE440BDEB7A1F7C9B80F108126EEC957B58DB79C8528F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001EEC43D2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001EEC43D29A8), ref: 000001EEC43D20A7

Memory Dump Source

Source File: 00000004.00000002.347302170.000001EEC43D0000.00000040.00000001.sdmp, Offset: 000001EEC43D0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 58c139332e2ca346d763d681a926904a3a20b6f2ecde722fde16b9c8f226f1ab
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: E5313C72615B9086DB90DF1AE45479A7BA0F389BD4F205026EF8D97B18DF3AC446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 5560 Parent PID: 4312 rundll32.exeCOMMON

Executed Functions

Function 000001AD23072252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001AD230723B0
VirtualProtect.KERNELBASE ref: 000001AD23072471
RtlAvlRemoveNode.NTDLL ref: 000001AD230725B4
VirtualProtect.KERNELBASE ref: 000001AD23072677

Memory Dump Source

Source File: 00000005.00000002.252624919.000001AD23070000.00000040.00000001.sdmp, Offset: 000001AD23070000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: ea90b648b5a369a0b1ef205220adf7097c4d0b6b8ff641240de41c44a239df72
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 1AB120B6619BC486D770CF1AF440BDAB7A1F789B80F108126EE8957B58DB79C852CF40

Uniqueness

Uniqueness Score: -1.00%

Function 000001AD23072057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001AD230729A8), ref: 000001AD230720A7

Memory Dump Source

Source File: 00000005.00000002.252624919.000001AD23070000.00000040.00000001.sdmp, Offset: 000001AD23070000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: b76f053a38f205291a635146212ed3ac188d4a1d782b13f78e162562dcc0dc4c
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: BC312772715B8086D790DF1AE45479A7BA0F389BC4F204026EF8E87B58DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1748 Parent PID: 5548 rundll32.exeCOMMON

Executed Functions

Function 000001F0E4B12252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001F0E4B123B0
VirtualProtect.KERNELBASE ref: 000001F0E4B12471
RtlAvlRemoveNode.NTDLL ref: 000001F0E4B125B4
VirtualProtect.KERNELBASE ref: 000001F0E4B12677

Memory Dump Source

Source File: 00000008.00000002.260827433.000001F0E4B10000.00000040.00000001.sdmp, Offset: 000001F0E4B10000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: e014db0ea95434e2ca27fa35e59f016cda95a16f946f8ffc387e19614b62e1cc
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 22B1637A619BC586D770CB1AF4407EEB7A1F7C9B80F118026EE8953B59DB79C8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001F0E4B12057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001F0E4B129A8), ref: 000001F0E4B120A7

Memory Dump Source

Source File: 00000008.00000002.260827433.000001F0E4B10000.00000040.00000001.sdmp, Offset: 000001F0E4B10000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 2e67c8f417dc8b373e2255acef3ddae1de4cf1d373dac5c6e66aa19173beb4a0
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 05315C76615B90C6D780DF1AE45479A7BA0F389BC4F218026EF8D87B19DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 5480 Parent PID: 5548 rundll32.exeCOMMON

Executed Functions

Function 0000027BA1D12252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000027BA1D123B0
VirtualProtect.KERNELBASE ref: 0000027BA1D12471
RtlAvlRemoveNode.NTDLL ref: 0000027BA1D125B4
VirtualProtect.KERNELBASE ref: 0000027BA1D12677

Memory Dump Source

Source File: 0000000A.00000002.267196478.0000027BA1D10000.00000040.00000001.sdmp, Offset: 0000027BA1D10000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: eae23150b038bc3e2466702be2183fa87c6ec99252fab76fd965a3b33ac59847
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: B2B14376618BC886E770CB1AE44079EB7A1F7C9B90F108026EECD57B58DB7AC8518F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000027BA1D12057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000027BA1D129A8), ref: 0000027BA1D120A7

Memory Dump Source

Source File: 0000000A.00000002.267196478.0000027BA1D10000.00000040.00000001.sdmp, Offset: 0000027BA1D10000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 96883b5b85ede8f53fbf8c75d30c3cf49de926279a76d8e643e2f08a15caf309
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 55312972619B9486D790DF1AE45475A7BB1F389BD4F209026EF8D87B28DF3AC446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RDVGHelper.exe PID: 6464 Parent PID: 3292 RDVGHelper.exeCOMMON

Executed Functions

Function 00000218716F2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00000218716F23B0
VirtualProtect.KERNELBASE ref: 00000218716F2471
RtlAvlRemoveNode.NTDLL ref: 00000218716F25B4
VirtualProtect.KERNELBASE ref: 00000218716F2677

Memory Dump Source

Source File: 00000017.00000002.375861772.00000218716F0000.00000040.00000001.sdmp, Offset: 00000218716F0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 771cb1710e3e1ea37824298364b276fbb039146e4276b1ee157506d9afc39482
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 68B145B6618BC486D770CB1AE4807DEB7A5F7D9B80F108126EE8957B58DF79C8428F40

Uniqueness

Uniqueness Score: -1.00%

Function 00000218716F2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000218716F29A8), ref: 00000218716F20A7

Memory Dump Source

Source File: 00000017.00000002.375861772.00000218716F0000.00000040.00000001.sdmp, Offset: 00000218716F0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 705fc9909c2bd9710e47ad4c503f89c9f223533198e9e6a76c8d940230ab20f5
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 96315EB6715B9086D780DF1AE49479A7BA5F389BC4F204026EF8D87B58DF39C442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7877752E0, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 279pipeCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF78777532B
CreateWellKnownSid.ADVAPI32 ref: 00007FF7877753A0
GetLastError.KERNEL32 ref: 00007FF7877753AA
memset.MSVCRT ref: 00007FF787775422
SetEntriesInAclW.ADVAPI32 ref: 00007FF78777544C
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF7877754B9
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF787775514
GetLastError.KERNEL32 ref: 00007FF78777551E
CreateNamedPipeW.KERNEL32 ref: 00007FF787775682
GetLastError.KERNEL32 ref: 00007FF787775692
CreateEventW.KERNEL32 ref: 00007FF7877756D8
GetLastError.KERNEL32 ref: 00007FF7877756E7

Part of subcall function 00007FF787777E6C: TraceMessage.ADVAPI32 ref: 00007FF787777EE6

GetLastError.KERNEL32 ref: 00007FF7877754C3

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772A34: TraceMessage.ADVAPI32 ref: 00007FF787772A9D

free.MSVCRT ref: 00007FF78777574B
LocalFree.KERNEL32 ref: 00007FF787775756

Strings

PSID, xrefs: 00007FF787775372
Failed StringCchPrintf call , xrefs: 00007FF7877755F0
\\.\pipe\RDVGHelperToHelper, xrefs: 00007FF787775562
%ws-%d, xrefs: 00007FF78777556E

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Create$DescriptorFreeMessageSecurityTrace$AddressDaclEntriesEventHandleInitializeKnownLibraryLocalModuleNamedPipeProcWellcallocfreememset
String ID: %ws-%d$Failed StringCchPrintf call $PSID$\\.\pipe\RDVGHelperToHelper
API String ID: 3465513791-2420746554
Opcode ID: e30c3a401c9758dd110bcc72cbe6252aab5c1e9eda7ba8d0c3c13a8a2cf9d973
Instruction ID: ea3442b3bb6ec048cb3b893d0aaebcf31c86b9e6e3b524e12fd8ca272577a361
Opcode Fuzzy Hash: e30c3a401c9758dd110bcc72cbe6252aab5c1e9eda7ba8d0c3c13a8a2cf9d973
Instruction Fuzzy Hash: 20D19C22A8878685EB11EB20D444779A7A1FB8C788FB00036DE5F4B6A1DF7CE547C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787774530, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 232libraryloaderCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF7877745B2
GetLastError.KERNEL32 ref: 00007FF7877745C1
CreateEventW.KERNEL32 ref: 00007FF787774606
GetLastError.KERNEL32 ref: 00007FF78777461A
LoadLibraryExW.KERNEL32 ref: 00007FF7877746C9
GetLastError.KERNEL32 ref: 00007FF78777485F

Part of subcall function 00007FF787772630: GetProcAddress.KERNEL32 ref: 00007FF787772676
Part of subcall function 00007FF787772630: GetLastError.KERNEL32 ref: 00007FF787772684

GetProcAddress.KERNEL32 ref: 00007FF787774774
GetProcAddress.KERNEL32 ref: 00007FF787774789
FreeLibrary.KERNEL32 ref: 00007FF7877747E2
FreeLibrary.KERNEL32 ref: 00007FF787774857

Part of subcall function 00007FF787771054: TraceMessage.ADVAPI32 ref: 00007FF7877710D3

_CxxThrowException.MSVCRT ref: 00007FF7877748EA

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Strings

Couldn't create pipe, xrefs: 00007FF787774697
OpenVGPUAdapterByEnumeration failed, xrefs: 00007FF787774716
D3DKMTCloseAdapter, xrefs: 00007FF78777477E
gdi32.dll, xrefs: 00007FF7877746C0
D3DKMTEscape, xrefs: 00007FF787774755

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressErrorLastLibraryProc$Free$CreateEventMessageTrace$ExceptionHandleLoadModuleThrow
String ID: Couldn't create pipe$D3DKMTCloseAdapter$D3DKMTEscape$OpenVGPUAdapterByEnumeration failed$gdi32.dll
API String ID: 778675261-2118243048
Opcode ID: 87e7fa77b5fe223da6b6ac6469465090128710bd5528dfe94decbed10e340ee5
Instruction ID: 19b6673fef98e62d8227781928fc9a3d70c29353222e2a24c382aad1f57fe083
Opcode Fuzzy Hash: 87e7fa77b5fe223da6b6ac6469465090128710bd5528dfe94decbed10e340ee5
Instruction Fuzzy Hash: 75B18F22A8878A86FB14AB51D444778A7A1BB4DB88FB44035CE5F4B7A1DF3CE447C364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7877793E0, Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 361COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78777913C: GetDisplayConfigBufferSizes.USER32(?,?,?,?,00000000,00000000,?,00007FF787778672), ref: 00007FF787779176

memset.MSVCRT ref: 00007FF7877796FF
DisplayConfigGetDeviceInfo.USER32 ref: 00007FF78777971B
free.MSVCRT ref: 00007FF78777983A
free.MSVCRT ref: 00007FF78777985A
free.MSVCRT ref: 00007FF78777987A
free.MSVCRT ref: 00007FF78777989B

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Strings

VUUU, xrefs: 00007FF78777964E

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: free$ConfigDisplay$AddressBufferDeviceFreeHandleInfoLibraryMessageModuleProcSizesTracememset
String ID: VUUU
API String ID: 3538776082-2040033107
Opcode ID: b78fec33328b09c23bbe581ac6dfd541bf5aa2f67e3c93b7a3431608d87875b4
Instruction ID: 17ecafa69046c725f9f5a98db224349b6a8c370abf963bfb65e482f0d1709497
Opcode Fuzzy Hash: b78fec33328b09c23bbe581ac6dfd541bf5aa2f67e3c93b7a3431608d87875b4
Instruction Fuzzy Hash: D5E1D332B4964286FB20EF65D8406BDB7A1FB58788FA40135DE4E9B695DF3CE402CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787784E70, Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF787784EA1
GetCurrentProcessId.KERNEL32 ref: 00007FF787784EAF
GetCurrentThreadId.KERNEL32 ref: 00007FF787784EBB
GetTickCount.KERNEL32 ref: 00007FF787784EC7
GetTickCount.KERNEL32 ref: 00007FF787784ED7
QueryPerformanceCounter.KERNEL32 ref: 00007FF787784EF2

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 4af1812b3d0277823e11467646a5a95a838673b7e346707ad10feef075a5ff0c
Instruction ID: 50e34352113a7e22a5794a0ccbc029737fe7ccbe436e414f28d147a90ebfff3d
Opcode Fuzzy Hash: 4af1812b3d0277823e11467646a5a95a838673b7e346707ad10feef075a5ff0c
Instruction Fuzzy Hash: 5A114A22B45B418AEB00EF71E8440A873A4FB0D758B900A35EE6E87B64EF7CD1A5C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787784CE0, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF787784CEB

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ef879de91e62d59fe24115e0797b1e0edbd6f0ce0f6d671f07cc2b15693dbe01
Instruction ID: 5cd1707e1f1ebedb9eaefe4e4ed3bee515a348bd8a0e299c9aad3d314d17d213
Opcode Fuzzy Hash: ef879de91e62d59fe24115e0797b1e0edbd6f0ce0f6d671f07cc2b15693dbe01
Instruction Fuzzy Hash: C5B09250EA6402D1D604BF22EC8106052A47B5C310FE00830C40E88220EE6C929BC724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7877711B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF7877711DC
OpenServiceW.ADVAPI32 ref: 00007FF787771205
CloseServiceHandle.ADVAPI32 ref: 00007FF78777121A
NotifyServiceStatusChangeW.ADVAPI32 ref: 00007FF787771250
CloseServiceHandle.ADVAPI32 ref: 00007FF7877712B5
OpenSCManagerW.ADVAPI32 ref: 00007FF7877712C5
GetLastError.KERNEL32 ref: 00007FF7877712D7
CloseServiceHandle.ADVAPI32 ref: 00007FF7877713A8
GetLastError.KERNEL32 ref: 00007FF7877713F9

Strings

Couldn't subscribe for service notifications, xrefs: 00007FF787771378
SessionEnv, xrefs: 00007FF7877711FB

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandleOpen$ErrorLastManager$ChangeNotifyStatus
String ID: Couldn't subscribe for service notifications$SessionEnv
API String ID: 3006147633-3598709105
Opcode ID: 199ed1d0a6fe019d6931dca04933a1453190996c0479d8130ef7316c7e49bff2
Instruction ID: 9a0aae3ecc19464b47d998bed8a0bfcb102d53b7f8d04e5c6ca815300ab0c001
Opcode Fuzzy Hash: 199ed1d0a6fe019d6931dca04933a1453190996c0479d8130ef7316c7e49bff2
Instruction Fuzzy Hash: 43617C21A8864681FB14AB12D444739A6A1BBCCBC4FB54439CE5F4BBA1DF3CE543C728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7877727C4, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF78777280D
GetLastError.KERNEL32 ref: 00007FF78777281F
GetProcAddress.KERNEL32 ref: 00007FF787772870
GetProcAddress.KERNEL32 ref: 00007FF787772887
memset.MSVCRT ref: 00007FF7877728B0
FreeLibrary.KERNEL32 ref: 00007FF787772901
_CxxThrowException.MSVCRT ref: 00007FF787772945

Strings

D3DKMTCloseAdapter, xrefs: 00007FF787772876
Calista, xrefs: 00007FF7877728B5
gdi32.dll, xrefs: 00007FF787772804
D3DKMTEscape, xrefs: 00007FF78777285A

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryProc$ErrorExceptionFreeLastLoadThrowmemset
String ID: Calista$D3DKMTCloseAdapter$D3DKMTEscape$gdi32.dll
API String ID: 2520493685-963847156
Opcode ID: 73b865a7e2b115dc24908300b5c4868183619396dcdfd9d2e8b93ac62e51da1e
Instruction ID: db573f4fe17d3e0ccebd98ac9c9d30e101bb27cf5379d81719cc2d8830cc4209
Opcode Fuzzy Hash: 73b865a7e2b115dc24908300b5c4868183619396dcdfd9d2e8b93ac62e51da1e
Instruction Fuzzy Hash: CF418032B49B4299EB00EF65E8402ACB3B4FB4CB88F944035EE1E57B55EE38E556C314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777716C, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF787775ED8: ReadFile.KERNEL32 ref: 00007FF787775F03
Part of subcall function 00007FF787775ED8: GetLastError.KERNEL32 ref: 00007FF787775F18

LockWorkStation.USER32 ref: 00007FF787777276
GetLastError.KERNEL32 ref: 00007FF787777280

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787771054: TraceMessage.ADVAPI32 ref: 00007FF7877710D3

Strings

Couldn't read the session ID, xrefs: 00007FF7877771D7
Couldn't send reply, xrefs: 00007FF78777735E

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AddressFileFreeHandleLibraryLockMessageModuleProcReadStationTraceWork
String ID: Couldn't read the session ID$Couldn't send reply
API String ID: 2992432468-3595970152
Opcode ID: ef3647a4e129e3d1921bc2833a6ee1048e12a6a65be50909dadfcf2ee5cad1ce
Instruction ID: c39333f5479317f7084fef7fcb7682a58b84a5ccf6aaac3518311b7669d71a18
Opcode Fuzzy Hash: ef3647a4e129e3d1921bc2833a6ee1048e12a6a65be50909dadfcf2ee5cad1ce
Instruction Fuzzy Hash: D7B18321E8974681EB10B725D444774AA91BF8CBC8FB90435DE6F8B6A1DE3CE443C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787783A94, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 129registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF787783AD3

Part of subcall function 00007FF787777EF4: _vsnwprintf.MSVCRT ref: 00007FF787777F34

GetClassInfoExW.USER32 ref: 00007FF787783BC9
GetModuleHandleW.KERNEL32 ref: 00007FF787783BFA
RegisterClassExW.USER32 ref: 00007FF787783C2A
GetLastError.KERNEL32 ref: 00007FF787783C33

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787771054: TraceMessage.ADVAPI32 ref: 00007FF7877710D3

Strings

Failed to get module specific class name, xrefs: 00007FF787783B9F
P, xrefs: 00007FF787783BDE
PAL_SYS_WIN32_THREAD_WNDCLASS, xrefs: 00007FF787783AD8
%p-%s, xrefs: 00007FF787783AED
Failed StringCchPrintf, xrefs: 00007FF787783B41

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassHandleModule$AddressErrorFreeInfoLastLibraryMessageProcRegisterTrace_vsnwprintfmemset
String ID: %p-%s$Failed StringCchPrintf$Failed to get module specific class name$P$PAL_SYS_WIN32_THREAD_WNDCLASS
API String ID: 3458599635-3200800430
Opcode ID: 90019642b5bb8da718051cef162d8a7936b034a6a33adbd0c41ae990fa23fa32
Instruction ID: eed6e7d998070c26516c25ce96463feb6011d03461814c6be64c55812be15382
Opcode Fuzzy Hash: 90019642b5bb8da718051cef162d8a7936b034a6a33adbd0c41ae990fa23fa32
Instruction Fuzzy Hash: 63517171A58B4685E710AB25D4542A9B7A0FB8C748FB00136DE9F437A1DF3CE546C718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787778278, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF787778287
ProcessIdToSessionId.KERNEL32 ref: 00007FF787778294
GetLastError.KERNEL32 ref: 00007FF7877782A5
OpenInputDesktop.USER32 ref: 00007FF78777839D
GetLastError.KERNEL32 ref: 00007FF7877783A8
SetThreadDesktop.USER32 ref: 00007FF7877783FF
GetLastError.KERNEL32 ref: 00007FF787778409

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787771054: TraceMessage.ADVAPI32 ref: 00007FF7877710D3

Strings

couldn't set thread to input desktop, xrefs: 00007FF787778436
couldn't open input desktop, xrefs: 00007FF7877783D5
couldn't get session id, xrefs: 00007FF7877782E7

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$DesktopProcess$AddressCurrentFreeHandleInputLibraryMessageModuleOpenProcSessionThreadTrace
String ID: couldn't get session id$couldn't open input desktop$couldn't set thread to input desktop
API String ID: 487586429-4287752933
Opcode ID: 69246158a716a6919f8eb674c4364ed24eb56ea01688b2bcdad5f6d09e2343a7
Instruction ID: 25722125347357cf03edbf1efc4fbf51e5c2d7439782609104b78ae75c2ed247
Opcode Fuzzy Hash: 69246158a716a6919f8eb674c4364ed24eb56ea01688b2bcdad5f6d09e2343a7
Instruction Fuzzy Hash: 64516121A8864685FB54AB19D484378A791BF8C788FB80435CE5F4B2A1DF3CE547C768

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7877798D8, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78777913C: GetDisplayConfigBufferSizes.USER32(?,?,?,?,00000000,00000000,?,00007FF787778672), ref: 00007FF787779176

memset.MSVCRT ref: 00007FF7877799DB
DisplayConfigGetDeviceInfo.USER32 ref: 00007FF787779A05
malloc.MSVCRT ref: 00007FF787779A72

Part of subcall function 00007FF787771010: TraceMessage.ADVAPI32 ref: 00007FF787771047

free.MSVCRT ref: 00007FF787779BF9

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Strings

RDVVG_MODE_SPEC, xrefs: 00007FF787779AC4

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ConfigDisplay$AddressBufferDeviceFreeHandleInfoLibraryMessageModuleProcSizesTracefreemallocmemset
String ID: RDVVG_MODE_SPEC
API String ID: 3153933191-967928687
Opcode ID: d636d45a9b1b69e5f31ece46a15f9e6b25053827fb9342af835beb4462b8eb35
Instruction ID: 5f5b0dfdb4d46b272c4ab5495a8dae0d1c388b18742b7085042470292dfc3798
Opcode Fuzzy Hash: d636d45a9b1b69e5f31ece46a15f9e6b25053827fb9342af835beb4462b8eb35
Instruction Fuzzy Hash: 38A1CF21A4964685EB50EB14D444779A7A2FB8D788FB00032DE5F4B6B5EF3CE447CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787772630, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF787772676
GetLastError.KERNEL32 ref: 00007FF787772684
GetProcAddress.KERNEL32 ref: 00007FF7877726A9
GetProcAddress.KERNEL32 ref: 00007FF7877726C2
memset.MSVCRT ref: 00007FF7877726E5

Strings

D3DKMTCloseAdapter, xrefs: 00007FF7877726BB
D3DKMTEnumAdapters, xrefs: 00007FF78777266B
Microsoft RemoteFX Graphics Adapter, xrefs: 00007FF787772756
D3DKMTQueryAdapterInfo, xrefs: 00007FF7877726A2

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastmemset
String ID: D3DKMTCloseAdapter$D3DKMTEnumAdapters$D3DKMTQueryAdapterInfo$Microsoft RemoteFX Graphics Adapter
API String ID: 465355849-1340418296
Opcode ID: 7fd63e92fc902c31b782291e949383f33a8245a824684052fd6608519c485535
Instruction ID: f0dc64d797d41c9a2a3fb2b4c7bf5f864461c1b4bc84747fbeea8c63cc414261
Opcode Fuzzy Hash: 7fd63e92fc902c31b782291e949383f33a8245a824684052fd6608519c485535
Instruction Fuzzy Hash: 3241753264868295EB10EF21D944379B3A0FB88788FA44035DE5E8A755EF3CE546CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777913C, Relevance: 15.2, APIs: 10, Instructions: 173COMMON

Download Yara Rule

APIs

GetDisplayConfigBufferSizes.USER32(?,?,?,?,00000000,00000000,?,00007FF787778672), ref: 00007FF787779176
calloc.MSVCRT(?,?,?,?,00000000,00000000,?,00007FF787778672), ref: 00007FF787779190
calloc.MSVCRT(?,?,?,?,00000000,00000000,?,00007FF787778672), ref: 00007FF7877791A1
QueryDisplayConfig.USER32 ref: 00007FF7877791D4
free.MSVCRT ref: 00007FF78777922A
free.MSVCRT ref: 00007FF787779233
GetDisplayConfigBufferSizes.USER32 ref: 00007FF787779243
free.MSVCRT(?,?,?,?,00000000,00000000,?,00007FF787778672), ref: 00007FF7877793C6
free.MSVCRT(?,?,?,?,00000000,00000000,?,00007FF787778672), ref: 00007FF7877793CF

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF7877781E8: TraceMessage.ADVAPI32 ref: 00007FF787778226

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: free$ConfigDisplay$BufferSizescalloc$AddressFreeHandleLibraryMessageModuleProcQueryTrace
String ID:
API String ID: 1863049588-0
Opcode ID: ffc3059be3a72a4870abef80d1c4355d75ddce9f9299f24b43a1e3cb3278ffd8
Instruction ID: 1858214f775891f9a5f0222640956350df522dcc359dd963d43356a75f54a872
Opcode Fuzzy Hash: ffc3059be3a72a4870abef80d1c4355d75ddce9f9299f24b43a1e3cb3278ffd8
Instruction Fuzzy Hash: 2B819C21A8974686EB50EB21D440678A7A1FB8DB88FB50431DE1F4B7A1DE3CE443CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7877748F0, Relevance: 15.1, APIs: 10, Instructions: 145pipeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,00007FF787774439), ref: 00007FF78777496A
GetLastError.KERNEL32(?,?,?,?,?,00007FF787774439), ref: 00007FF787774974
CloseHandle.KERNEL32(?,?,?,?,?,00007FF787774439), ref: 00007FF7877749C9
GetLastError.KERNEL32(?,?,?,?,?,00007FF787774439), ref: 00007FF7877749D3
DisconnectNamedPipe.KERNEL32 ref: 00007FF787774A29
CloseHandle.KERNEL32 ref: 00007FF787774A41
GetLastError.KERNEL32 ref: 00007FF787774A4B
CloseHandle.KERNEL32 ref: 00007FF787774A98
GetLastError.KERNEL32 ref: 00007FF787774AA2
memset.MSVCRT ref: 00007FF787774AF0

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle$CloseErrorLast$AddressDisconnectFreeLibraryMessageModuleNamedPipeProcTracememset
String ID:
API String ID: 3835335660-0
Opcode ID: f1c851604a9c9fea9600812509e533d8279f5666337927883ec05983717d4245
Instruction ID: e8a50fb69d9c053aef7568bee68794fd937f2ccedd9771a30c117b47ba9c9666
Opcode Fuzzy Hash: f1c851604a9c9fea9600812509e533d8279f5666337927883ec05983717d4245
Instruction Fuzzy Hash: A6716C21A4864681EB54AB65D444738A7A0FF8CB98FB50535CE6F8B6E1DF3CD843C728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787774E80, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 258pipeCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32 ref: 00007FF787774F85

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

DisconnectNamedPipe.KERNEL32 ref: 00007FF7877752BB

Strings

Couldn't signal pipe to accept new connections, xrefs: 00007FF787774F4D
Error waiting for events, xrefs: 00007FF7877751B1
Couldn't disconnect pipe, xrefs: 00007FF7877750EA
Not all events are available, xrefs: 00007FF78777520A

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDisconnectFreeHandleLibraryMessageModuleMultipleNamedObjectsPipeProcTraceWait
String ID: Couldn't disconnect pipe$Couldn't signal pipe to accept new connections$Error waiting for events$Not all events are available
API String ID: 3045291218-2626958748
Opcode ID: 4dfb54632f97b3dac6e34dc246fa73d3b7ab6f650a27f384a57538b4f465e25b
Instruction ID: 815b9c33554276e7c4b53453ba3e60749c211b2fdd8bf23c8ff2688c6262faaa
Opcode Fuzzy Hash: 4dfb54632f97b3dac6e34dc246fa73d3b7ab6f650a27f384a57538b4f465e25b
Instruction Fuzzy Hash: 9CC19D21A8868681FB54E725D454378A691BB8DBC8FB40035CE5F9B3A2DF3DE483C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787783CD4, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF787783D68

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Strings

Failed to get module specific class name, xrefs: 00007FF787783E36
PAL_SYS_WIN32_THREAD_WNDCLASS, xrefs: 00007FF787783D6D
%p-%s, xrefs: 00007FF787783D85
Failed StringCchPrintf, xrefs: 00007FF787783DDA

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryMessageModuleProcTracememset
String ID: %p-%s$Failed StringCchPrintf$Failed to get module specific class name$PAL_SYS_WIN32_THREAD_WNDCLASS
API String ID: 1171831687-1852166344
Opcode ID: d6b56e9e9e55f48b4cb5c608037a520fa4f29cddfdb85f7e5c0364315d68fe6d
Instruction ID: 79b9ea0d5633aee52f2e279f0e39bfdb70c845ac0cdd7c070fa50631e0da68ed
Opcode Fuzzy Hash: d6b56e9e9e55f48b4cb5c608037a520fa4f29cddfdb85f7e5c0364315d68fe6d
Instruction Fuzzy Hash: 30515021A98B4681FB60AB15E4846B9B791FB8C748FB00036DE5F436A5DF3CE447C768

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787783604, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF787783698

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Strings

Failed to get module specific class name, xrefs: 00007FF787783766
PAL_SYS_WIN32_TIMER_WNDCLASS, xrefs: 00007FF78778369D
%p-%s, xrefs: 00007FF7877836B5
Failed StringCchPrintf, xrefs: 00007FF78778370A

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryMessageModuleProcTracememset
String ID: %p-%s$Failed StringCchPrintf$Failed to get module specific class name$PAL_SYS_WIN32_TIMER_WNDCLASS
API String ID: 1171831687-1526586533
Opcode ID: 980cc05292e7b95615efbdd10b63a0e747a9949b6ab9298012aa76c847442729
Instruction ID: 7778f5d059d6e9809b974bdf7d856ecc3d53cb57f1fe16add3737635fddf372a
Opcode Fuzzy Hash: 980cc05292e7b95615efbdd10b63a0e747a9949b6ab9298012aa76c847442729
Instruction Fuzzy Hash: E2517061A9874A81E750BB25D4846B9B7A0FB8D788FB00036DE5F436A1DF3CE447C768

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787772158, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74registryCOMMON

Download Yara Rule

APIs

GetClassInfoExW.USER32 ref: 00007FF7877721A5
LoadCursorW.USER32 ref: 00007FF7877721D0
RegisterClassExW.USER32 ref: 00007FF7877721EE
GetLastError.KERNEL32 ref: 00007FF7877721FB
CreateWindowExW.USER32 ref: 00007FF787772248

Strings

RDVVGHelper, xrefs: 00007FF78777218D
CRDVVGHelperWindow, xrefs: 00007FF787772168

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$CreateCursorErrorInfoLastLoadRegisterWindow
String ID: CRDVVGHelperWindow$RDVVGHelper
API String ID: 3919166384-2946006817
Opcode ID: 086975935eba673a3bec27135047ea97129e99ef4b02428ddc327b1ed83c607b
Instruction ID: 0fc72e6bd7e08e084eb4850abc76630aa04bde272aefa198b7abab20fb2a908f
Opcode Fuzzy Hash: 086975935eba673a3bec27135047ea97129e99ef4b02428ddc327b1ed83c607b
Instruction Fuzzy Hash: 1331C132B58B4186E3109F61E8402AEB7F5F788784FA5003ADE5E57B04CF38D552C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78778400C, Relevance: 12.2, APIs: 8, Instructions: 175windowthreadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF78778402F
GetCurrentThreadId.KERNEL32 ref: 00007FF78778403C
WaitForMultipleObjects.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7877825D4), ref: 00007FF787784098
PeekMessageW.USER32 ref: 00007FF7877840E1
DispatchMessageW.USER32 ref: 00007FF7877840FB
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FF78778411A
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FF787784153
GetTickCount.KERNEL32 ref: 00007FF787784176

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: MultipleObjectsWait$CountMessageTick$CurrentDispatchPeekThread
String ID:
API String ID: 2727776524-0
Opcode ID: 8608697a663afd761154c4dff99cc82424b761d80b97468bba1addc86ff93fc9
Instruction ID: 8f15c5eeb021398ace19c5d802c72ef07184c8ed4c4b3ce4ecdf1473f445665d
Opcode Fuzzy Hash: 8608697a663afd761154c4dff99cc82424b761d80b97468bba1addc86ff93fc9
Instruction Fuzzy Hash: 83719F22A8C68686EB74AF11E44477AA691FB4C788FB00135CE5F47790DF7CE486C729

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78778478C, Relevance: 12.1, APIs: 8, Instructions: 128sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF787784791
_amsg_exit.MSVCRT ref: 00007FF7877847CC
Sleep.KERNEL32 ref: 00007FF7877847D8
_initterm.MSVCRT ref: 00007FF787784866
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF787784893
exit.MSVCRT ref: 00007FF787784924
_cexit.MSVCRT ref: 00007FF787784933
_ismbblead.MSVCRT ref: 00007FF787784956

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 3033372379-0
Opcode ID: 918076befac1d423490ef2a05134e22ded3005c6790dc22fe88ca6fc306a692c
Instruction ID: 4b3fc36df6fb1c80229e3f67992782b37a42e66e26dd07fc1e0d2199eeef9f57
Opcode Fuzzy Hash: 918076befac1d423490ef2a05134e22ded3005c6790dc22fe88ca6fc306a692c
Instruction Fuzzy Hash: FC513B21A8864686F760AF11E854775A3A0FF4C748FE40035CE6F877A5DF7CE842C628

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777578C, Relevance: 12.1, APIs: 8, Instructions: 124pipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32 ref: 00007FF787775806
GetLastError.KERNEL32 ref: 00007FF787775834
GetLastError.KERNEL32 ref: 00007FF78777584B
SetEvent.KERNEL32 ref: 00007FF787775898
GetLastError.KERNEL32 ref: 00007FF7877758A6
GetLastError.KERNEL32 ref: 00007FF787775903
GetLastError.KERNEL32 ref: 00007FF787775928

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

GetLastError.KERNEL32 ref: 00007FF787775954

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AddressConnectEventFreeHandleLibraryMessageModuleNamedPipeProcTrace
String ID:
API String ID: 141185939-0
Opcode ID: a260ab18af95be480d2a7e446ea26a3ee62565832bf418bd6d6a606a76dcb452
Instruction ID: 69389bc7ff948040a7cfe6e55606539e666e36947cea21b3011a2d07de0667ef
Opcode Fuzzy Hash: a260ab18af95be480d2a7e446ea26a3ee62565832bf418bd6d6a606a76dcb452
Instruction Fuzzy Hash: B8516021A8868686FB50EB25D444378A691BB8CB98FB40435CE5F4B2A2CF7CE447C724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7877768E4, Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 349COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF7877769D9
calloc.MSVCRT ref: 00007FF787776A43
calloc.MSVCRT ref: 00007FF787776BBD

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Strings

Couldn't read monitor definition, xrefs: 00007FF787776D3D
Couldn't read number of monitors, xrefs: 00007FF7877769C5
struct mode_list, xrefs: 00007FF787776A1C
Couldn't read number monitor dimensions, xrefs: 00007FF787776E20

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: calloc$AddressFreeHandleLibraryMessageModuleProcTrace
String ID: Couldn't read monitor definition$Couldn't read number monitor dimensions$Couldn't read number of monitors$struct mode_list
API String ID: 3340571893-2795074683
Opcode ID: 1ac8fef17e83dd02af68bccee0387a31438967e64b087cfbba66d41d615aeb9f
Instruction ID: 36bad5c465bc201f983c466062ce25b0f007deabf58e795127da0ba43cf10e38
Opcode Fuzzy Hash: 1ac8fef17e83dd02af68bccee0387a31438967e64b087cfbba66d41d615aeb9f
Instruction Fuzzy Hash: C902BD22A4864686EB10EB25D044768BBE1FB4D788FA54035DE5F8B7A5DF3CE443C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787773010, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 315windowCOMMON

Download Yara Rule

APIs

DwmIsCompositionEnabled.DWMAPI ref: 00007FF7877730F7
DefWindowProcW.USER32 ref: 00007FF7877734F3

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

PostQuitMessage.USER32 ref: 00007FF787773571

Strings

Couldn't check whether glass is on or off, xrefs: 00007FF78777313C
OnWakeupTimer failed, xrefs: 00007FF7877734B2
OnLoadWallpaperTimer failed, xrefs: 00007FF787773432

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageProc$AddressCompositionEnabledFreeHandleLibraryModulePostQuitTraceWindow
String ID: Couldn't check whether glass is on or off$OnLoadWallpaperTimer failed$OnWakeupTimer failed
API String ID: 525318569-842458313
Opcode ID: 9eb8530701882c280a42010c2249a5a682581ecf306c4b8322af3eff10377b37
Instruction ID: bd0558970a78c42e883b474dae81d5aa21fcf989416c3bcbdd0abfd76c1b128e
Opcode Fuzzy Hash: 9eb8530701882c280a42010c2249a5a682581ecf306c4b8322af3eff10377b37
Instruction Fuzzy Hash: C5E16E21B8C68B91FA65B725D4042B4A691BF48B88FB84431DE2F4B2B1DE3DE547C374

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787776540, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 229sleepwindowCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF78777669F
PostMessageW.USER32 ref: 00007FF7877766FD
PostMessageW.USER32 ref: 00007FF787776812
Sleep.KERNEL32 ref: 00007FF7877767C1

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Part of subcall function 00007FF7877785DC: free.MSVCRT ref: 00007FF7877790CC
Part of subcall function 00007FF7877785DC: free.MSVCRT ref: 00007FF7877790D6

Strings

Couldn't send mode change reply to gfx plugin, xrefs: 00007FF787776861
Couldn't read mode spec from pipe, xrefs: 00007FF7877765E0

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$PostSleepfree$AddressFreeHandleLibraryModuleProcTrace
String ID: Couldn't read mode spec from pipe$Couldn't send mode change reply to gfx plugin
API String ID: 1765548159-2207461280
Opcode ID: a7c5ee94a20a8034f014ae3f81e12530d4399fd9857b7dabf08c870e15d30e7d
Instruction ID: 8acd579fdcce8a74a3ec8c4f2595504b11a3f24943536ec15367b07f720999e9
Opcode Fuzzy Hash: a7c5ee94a20a8034f014ae3f81e12530d4399fd9857b7dabf08c870e15d30e7d
Instruction Fuzzy Hash: 87A1CE21A8864681FB14BB21D450379A691BB8A7C8FF44035CE1F8B6A6DF7DE443C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787783828, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 140COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7877838B3
CreateWindowExW.USER32 ref: 00007FF787783A31

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Strings

Failed to get module specific class name, xrefs: 00007FF7877839E0
PAL_SYS_WIN32_THREAD_WNDCLASS, xrefs: 00007FF787783917
%p-%s, xrefs: 00007FF78778392F
Failed StringCchPrintf, xrefs: 00007FF787783984

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateFreeHandleLibraryMessageModuleProcTraceWindowmemset
String ID: %p-%s$Failed StringCchPrintf$Failed to get module specific class name$PAL_SYS_WIN32_THREAD_WNDCLASS
API String ID: 1026176067-1852166344
Opcode ID: 1ae5e3cf19ccc54d8a270215a833a80129be51b2d24824da38e74c6dc1d2111f
Instruction ID: d85adda02873a04acf9361018711c406929abc8268fb3a6062aa29c2378a5c36
Opcode Fuzzy Hash: 1ae5e3cf19ccc54d8a270215a833a80129be51b2d24824da38e74c6dc1d2111f
Instruction Fuzzy Hash: B0618521A8874A91FB10AB19E444769B7A5FB8C748FB40135DE9E477A1EF3CE143C728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787775ED8, Relevance: 9.2, APIs: 6, Instructions: 155fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF787775F03
GetLastError.KERNEL32 ref: 00007FF787775F18
GetLastError.KERNEL32 ref: 00007FF787775F79
GetOverlappedResult.KERNEL32 ref: 00007FF787776036
GetLastError.KERNEL32 ref: 00007FF787776040
GetLastError.KERNEL32 ref: 00007FF78777607E

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AddressFileFreeHandleLibraryMessageModuleOverlappedProcReadResultTrace
String ID:
API String ID: 2563391445-0
Opcode ID: b5f76d73109a2a6e9a6d4d49d5c792010e1c528dc62341a97759294dca5c154d
Instruction ID: 4b29312d2bf7b7f61656ec16cc38c88f3ae4dddb4835c892fb38685abfeb6577
Opcode Fuzzy Hash: b5f76d73109a2a6e9a6d4d49d5c792010e1c528dc62341a97759294dca5c154d
Instruction Fuzzy Hash: FD71AE21A8878A81FB10B715D844774AB91BF4DB88FB40436CE2F4B2A6DE7CE443C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787773758, Relevance: 9.1, APIs: 6, Instructions: 140windowtimeCOMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 00007FF787773782
PostMessageW.USER32 ref: 00007FF7877737F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7877733F6), ref: 00007FF787773819
GetLastError.KERNEL32(?,?,?,?,?,00007FF7877733F6), ref: 00007FF787773845
KillTimer.USER32(?,?,?,?,?,00007FF7877733F6), ref: 00007FF787773932
GetLastError.KERNEL32(?,?,?,?,?,00007FF7877733F6), ref: 00007FF78777393C

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Message$AddressFreeHandleKillLibraryModulePostProcShellTimerTraceWindow
String ID:
API String ID: 2837697407-0
Opcode ID: 0d155ea027e42ba59dc3fcde33f86f59d054c35346ad613be78f679727a13520
Instruction ID: f658ed69564c074de5348c0cee64b76b2602acd514ff1dce0676a132bd5d7293
Opcode Fuzzy Hash: 0d155ea027e42ba59dc3fcde33f86f59d054c35346ad613be78f679727a13520
Instruction Fuzzy Hash: FF517F20A88B8A81FB54A725D844774A6D1BB8CBC8FB54435CE6F4B3A1DE3DE443C724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777A944, Relevance: 9.1, APIs: 6, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF78777A97F
GetModuleHandleExW.KERNEL32 ref: 00007FF78777A9B6
GetLastError.KERNEL32 ref: 00007FF78777A9DF
LocalFree.KERNEL32 ref: 00007FF78777AAC2

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Local$AllocErrorFreeHandleLastModule
String ID:
API String ID: 2425194707-0
Opcode ID: a5e76ed3e6d1c776300881873dd35d52d1c3ba45fb9a97d7b453bb6dbc6cffe2
Instruction ID: 1a39fda91999a349cffe67858f0e8b2e7c37d5d86892177f58ae35827c453e0c
Opcode Fuzzy Hash: a5e76ed3e6d1c776300881873dd35d52d1c3ba45fb9a97d7b453bb6dbc6cffe2
Instruction Fuzzy Hash: F941B231A8874686FB00AB15E544378A3A0FB8CB88FA64035DE5F4B761EF3CE446C794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787772DFC, Relevance: 9.1, APIs: 6, Instructions: 95registryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF787772E20
WTSRegisterSessionNotification.WTSAPI32 ref: 00007FF787772E93
GetLastError.KERNEL32 ref: 00007FF787772E9D
RegisterPowerSettingNotification.USER32 ref: 00007FF787772EE1
GetLastError.KERNEL32 ref: 00007FF787772EF0
GetLastError.KERNEL32 ref: 00007FF787772EFA

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$NotificationRegister$AddressFreeHandleLibraryModulePowerProcSessionSetting
String ID:
API String ID: 3101777077-0
Opcode ID: f23cacc4a5b229082e7389cd5c2e05c4d7c9d4dae6d27662e26cf521974b958d
Instruction ID: f9ab1c7ce7ad24ae51bb4cbf2c5efb9e1bda489c65d12e3d547169153f66310d
Opcode Fuzzy Hash: f23cacc4a5b229082e7389cd5c2e05c4d7c9d4dae6d27662e26cf521974b958d
Instruction Fuzzy Hash: 9E417F61A8864741FB54A725D484334A2E1BF4CB88FB44439CE6F8B5A1DF7CE497C728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777DEE0, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 309COMMON

Download Yara Rule

Strings

Failed to create thread signal, xrefs: 00007FF78777DF8A
Unable to add the current thread to the descriptor, xrefs: 00007FF78777E2EA
thread descriptor creation failed in bind path, xrefs: 00007FF78777E02F

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$ActivityControlCurrentEventMessageSleepSwitchTrace
String ID: Failed to create thread signal$Unable to add the current thread to the descriptor$thread descriptor creation failed in bind path
API String ID: 1372454233-1456235783
Opcode ID: 0720f38c5d99f770d0486283714d87ea45aee3827a8991f9dc05d31c7d399909
Instruction ID: b382b14985ba4b9d25a6193af43fae7ed71e495f892bb15a807e371a6353f91a
Opcode Fuzzy Hash: 0720f38c5d99f770d0486283714d87ea45aee3827a8991f9dc05d31c7d399909
Instruction Fuzzy Hash: 3EE17C21A8864B81FB55AB15D844678A7A1BB8DB88FB84435CE1F4B3B1DF7CE447C324

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787775980, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 267windowCOMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32 ref: 00007FF7877759FD
GetLastError.KERNEL32 ref: 00007FF787775A0B
PostMessageW.USER32 ref: 00007FF787775C38
GetLastError.KERNEL32 ref: 00007FF787775A63

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Strings

Couldn't do pipe handshake, xrefs: 00007FF787775D84

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage$AddressFreeHandleLibraryModuleOverlappedPostProcResultTrace
String ID: Couldn't do pipe handshake
API String ID: 4014174110-3058899160
Opcode ID: 5931f70c9f062a88287348f5a5a7e13e8d9e3570f85271e509d76810fbce16bb
Instruction ID: 9a5d52144ecb5751a663d73da4d5332bc9e85095f874305ce70abe16bf4d4d51
Opcode Fuzzy Hash: 5931f70c9f062a88287348f5a5a7e13e8d9e3570f85271e509d76810fbce16bb
Instruction Fuzzy Hash: 0BC15B21A8C78B41FA54F725D494778A691BF88B88FF40036CE2F4B6A1DE6DE443C364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787771434, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF78777146D
RegQueryValueExW.ADVAPI32 ref: 00007FF7877714E3
RegCloseKey.ADVAPI32 ref: 00007FF7877715F6

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787771010: TraceMessage.ADVAPI32 ref: 00007FF787771047

Strings

FrameRate, xrefs: 00007FF7877714D5
SYSTEM\CurrentControlSet\Control\Terminal Server\RemoteFXGuest, xrefs: 00007FF78777144C

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseFreeHandleLibraryMessageModuleOpenProcQueryTraceValue
String ID: FrameRate$SYSTEM\CurrentControlSet\Control\Terminal Server\RemoteFXGuest
API String ID: 2288772661-3961407259
Opcode ID: 9f6c0fc199f6df0ff5c22d60da0dad22be6e1358873e0ddfe7ea3d75289ca876
Instruction ID: 7c6184ff421f6048ac922c05145802266558aaa6304234fddca0c25d4d26faa6
Opcode Fuzzy Hash: 9f6c0fc199f6df0ff5c22d60da0dad22be6e1358873e0ddfe7ea3d75289ca876
Instruction Fuzzy Hash: B951AF61A4864A86EB24AB24D4447B8A7A1FB8C78CFF40131DE5F4B6A1DF3CE047C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777209C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
GetProcAddress.KERNEL32 ref: 00007FF7877720E6
FreeLibrary.KERNEL32 ref: 00007FF787772106

Strings

Advapi32.dll, xrefs: 00007FF7877720C3
EventActivityIdControl, xrefs: 00007FF7877720DF

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: Advapi32.dll$EventActivityIdControl
API String ID: 4061214504-2884944642
Opcode ID: 624b6ca9b53f03022c91352cb2e5e9645de2a4cabb6d5e5f84c2a2fb001eafd4
Instruction ID: c93d397919a3f3a796f4500ad0990745b5902806a10c5b12ec2cea2883f610d8
Opcode Fuzzy Hash: 624b6ca9b53f03022c91352cb2e5e9645de2a4cabb6d5e5f84c2a2fb001eafd4
Instruction Fuzzy Hash: 2B017571648B0185EB20EF10E840169B3B0FB8C794F901135ED5F86765DE3CD146CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787776164, Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF78777618E
GetLastError.KERNEL32 ref: 00007FF7877761A3
GetLastError.KERNEL32 ref: 00007FF787776204

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

GetOverlappedResult.KERNEL32 ref: 00007FF7877762C1
GetLastError.KERNEL32 ref: 00007FF7877762CB

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AddressFileFreeHandleLibraryMessageModuleOverlappedProcResultTraceWrite
String ID:
API String ID: 1336870795-0
Opcode ID: 83a9ada008614ecd3c4be97b45ec1b9d15df0faaafb9e9b829cb39f74ca56d1f
Instruction ID: 52a1d5c277d76f3d3b35394b1e8e0ecdc09c384147e15e1165d35e67db5d7d69
Opcode Fuzzy Hash: 83a9ada008614ecd3c4be97b45ec1b9d15df0faaafb9e9b829cb39f74ca56d1f
Instruction Fuzzy Hash: 3261D321A8C74A81FB50A714D444778A791BB8DB88FB50032DE1F8B6AADF7CE447C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787779E9C, Relevance: 7.6, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,00000001,?,00007FF7877780AF,?,00000000,00000001,00007FF7877795DD), ref: 00007FF787779F10
memcpy.MSVCRT ref: 00007FF787779F3D
malloc.MSVCRT(?,00000001,?,00007FF7877780AF,?,00000000,00000001,00007FF7877795DD), ref: 00007FF787779F57
memcpy.MSVCRT ref: 00007FF787779F82
free.MSVCRT ref: 00007FF787779F8A
malloc.MSVCRT(?,00000001,?,00007FF7877780AF,?,00000000,00000001,00007FF7877795DD), ref: 00007FF787779F9E

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: malloc$memcpy$free
String ID:
API String ID: 2877244841-0
Opcode ID: 33c5edad4697d0bca0be45975bdfbff2cdeddf8b502ba68a09bf7a3acb7d92d6
Instruction ID: 2963b171bb3e1fbcc8d33449b84976517dc6a94597794680bd8c269ca46621af
Opcode Fuzzy Hash: 33c5edad4697d0bca0be45975bdfbff2cdeddf8b502ba68a09bf7a3acb7d92d6
Instruction Fuzzy Hash: F331B26168AA4286EA14EF15A8442B8F2A0BB58BD0FB84435DE5F4B764DF7CE447C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787779FDC, Relevance: 7.6, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,?,00007FF787779672), ref: 00007FF78777A04F
memcpy.MSVCRT ref: 00007FF78777A075
malloc.MSVCRT(?,?,?,00007FF787779672), ref: 00007FF78777A08E
memcpy.MSVCRT ref: 00007FF78777A0B7
free.MSVCRT ref: 00007FF78777A0BF
malloc.MSVCRT(?,?,?,00007FF787779672), ref: 00007FF78777A0D2

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: malloc$memcpy$free
String ID:
API String ID: 2877244841-0
Opcode ID: 1f81c3acc2aea45ddb4b20b7e9827df09264199009f5bf9db718920d8e059e67
Instruction ID: e735cda0501ded8dc648404786e57ef21eb19d8b9ec3f4fc4f76e51ed9c22f33
Opcode Fuzzy Hash: 1f81c3acc2aea45ddb4b20b7e9827df09264199009f5bf9db718920d8e059e67
Instruction Fuzzy Hash: 1231B611B4974682FE14AB2AA444235E290BB48BC1F798835CE1F4B790DE7DE453E320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777E400, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78778231C: LocalAlloc.KERNEL32 ref: 00007FF787782348

SetEvent.KERNEL32 ref: 00007FF78777E61A

Strings

Fail to add thread to thread descriptor, xrefs: 00007FF78777E6D0
thread descriptor creation failed in bind path, xrefs: 00007FF78777E497
Failed to init in thread context, xrefs: 00007FF78777E5EC

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEventLocal
String ID: Fail to add thread to thread descriptor$Failed to init in thread context$thread descriptor creation failed in bind path
API String ID: 2708221289-1929829824
Opcode ID: 4b3525b9128d17b0ac3bd3c2ab805607a2803f8e9c94faa30e0ec66a9974bbcf
Instruction ID: 741ebbb89000d886a5a02296554e50fb6535f5a4d43cc140b2c084a885ede79c
Opcode Fuzzy Hash: 4b3525b9128d17b0ac3bd3c2ab805607a2803f8e9c94faa30e0ec66a9974bbcf
Instruction Fuzzy Hash: D3B16125B88A4A85EA54AB15D454678A7A0FF8CB88FB84031DE1F8B371DF7CE443C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777EA78, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF78777EAEB
GetTickCount.KERNEL32 ref: 00007FF78777EB40

Part of subcall function 00007FF78778353C: EventActivityIdControl.ADVAPI32(?,?,?,?,?,?,?,?,00007FF78777ACC4,?,?,00000000,00007FF787771828), ref: 00007FF787783563

Part of subcall function 00007FF787771054: TraceMessage.ADVAPI32 ref: 00007FF7877710D3

Strings

RunQueueEvent failed, xrefs: 00007FF78777EBA5
GetItem failed, xrefs: 00007FF78777EBFE

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$ActivityControlEventMessageTrace
String ID: GetItem failed$RunQueueEvent failed
API String ID: 738755933-1109440610
Opcode ID: d060be89867cb15fbe4d2b8bda3eef4ddb757a1292a81359bdcb887982050d32
Instruction ID: b5ab8b162ef61b05daff34ddc6c89373e780b8bb851ed87b27d8f3e1d67e0f8f
Opcode Fuzzy Hash: d060be89867cb15fbe4d2b8bda3eef4ddb757a1292a81359bdcb887982050d32
Instruction Fuzzy Hash: DD51AD22A4874A81EB14AB25D440379B7A0FB88B88FA44435CE1F4B7B5DF7CE447C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777C94C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF78777CA09
GetSystemInfo.KERNEL32 ref: 00007FF78777CA36
memset.MSVCRT ref: 00007FF78777CA83

Strings

CTSThread, xrefs: 00007FF78777C97B

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem$memset
String ID: CTSThread
API String ID: 2430167835-1158270316
Opcode ID: 6f18ff23904aa4e4cfeebe954df3d9418e3cf8aa8c57ab283e2f2d84cd90536b
Instruction ID: 4310bb3a6453b06cd4386fa5c4e9f60e9af2cb766996fdfd58bb070c04658547
Opcode Fuzzy Hash: 6f18ff23904aa4e4cfeebe954df3d9418e3cf8aa8c57ab283e2f2d84cd90536b
Instruction Fuzzy Hash: A8510632505B84DAD740DF25E884398B7A8F748F58FA8423ACE9D4B758DF38E465C724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787778454, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7877784B6
DisplayConfigGetDeviceInfo.USER32 ref: 00007FF7877784D7
DisplayConfigSetDeviceInfo.USER32 ref: 00007FF78777855B

Strings

D3DKMTEnumAdapters, xrefs: 00007FF787778492

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ConfigDeviceDisplayInfo$memset
String ID: D3DKMTEnumAdapters
API String ID: 4267736003-2763580205
Opcode ID: cbebe42d26720e5fc6453f02a6c7ca5129021e5ae1b6483bd58675a4690526e5
Instruction ID: ebcc93669394365acddd0a1062f15fe9640d70941ecacf376e032fd4ec1bacb7
Opcode Fuzzy Hash: cbebe42d26720e5fc6453f02a6c7ca5129021e5ae1b6483bd58675a4690526e5
Instruction Fuzzy Hash: 7E41BF32F446068AFB50DB65D48026CBBA0FB4C798FA40035DE5E97B95DF38D542CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777A1FC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,00000000,00007FF78777AC9A,?,?,00000000,00007FF787771828), ref: 00007FF78777A225
TlsAlloc.KERNEL32(?,?,?,?,00000000,00007FF78777AC9A,?,?,00000000,00007FF787771828), ref: 00007FF78777A231

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787771054: TraceMessage.ADVAPI32 ref: 00007FF7877710D3

Strings

Failed to initialize timer list lock, xrefs: 00007FF78777A281
Failed to initialize timer globals, xrefs: 00007FF78777A2F2

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc$AddressFreeHandleLibraryMessageModuleProcTrace
String ID: Failed to initialize timer globals$Failed to initialize timer list lock
API String ID: 1917141336-1902170985
Opcode ID: 6a41164c8f054cd7fe7e9bd2185022f230da3b7cd701784ad1063028b91e8375
Instruction ID: b32aaa1c1d5a5808188c4706d918c9606b075ad43c3ab9b287435995a7190bb5
Opcode Fuzzy Hash: 6a41164c8f054cd7fe7e9bd2185022f230da3b7cd701784ad1063028b91e8375
Instruction Fuzzy Hash: 07410820E8C64A85FB10BB59E884674A7A0BB4D788FB10035CE5F4B6B1DE3DE447C728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777A384, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,?,?,00007FF78777A377,?,?,?,?,00000000,00007FF78777AC9A,?,?,00000000,00007FF787771828), ref: 00007FF78777A3A9

Strings

Failed to unregister the timer window class, xrefs: 00007FF78777A4A8
Failed to terminate timer globals, xrefs: 00007FF78777A3FA
Failed to unregister the thread window class, xrefs: 00007FF78777A451

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Free
String ID: Failed to terminate timer globals$Failed to unregister the thread window class$Failed to unregister the timer window class
API String ID: 3978063606-2031851587
Opcode ID: 14a70f8b5181e3734aa378d3ffc84b38fccaf51d6e0d985ae055b864b90dd0d2
Instruction ID: b1c2608fd0d49f06a9153c9a970415d799332e1b0cfafbcee588061d62a9c7e5
Opcode Fuzzy Hash: 14a70f8b5181e3734aa378d3ffc84b38fccaf51d6e0d985ae055b864b90dd0d2
Instruction Fuzzy Hash: 2B416C21A8864A45FB51BB28D449274A790BB4C38CFB40035CE5F8A6B2EF3DE543C778

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78777357C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(?,?,?,?,?,?,?,?,?,?,00000002,00007FF787773647), ref: 00007FF7877735A7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000002,00007FF787773647), ref: 00007FF7877735B3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000002,00007FF787773647), ref: 00007FF7877735BE

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787771054: TraceMessage.ADVAPI32 ref: 00007FF7877710D3

Strings

Couldn't inject +1,+1 mouse event, xrefs: 00007FF7877735FB

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AddressFreeHandleInputLibraryMessageModuleProcSendTrace
String ID: Couldn't inject +1,+1 mouse event
API String ID: 245005656-3913520787
Opcode ID: a718c6a19c4bfab6f91ba58cebd18933f18007d92acdcf6ecf79b54a15c22927
Instruction ID: 1c1eb8b1fe4c3fd757a9996f49609569080bdacaaf7fb89e641c3d1e8f698408
Opcode Fuzzy Hash: a718c6a19c4bfab6f91ba58cebd18933f18007d92acdcf6ecf79b54a15c22927
Instruction Fuzzy Hash: B5117236A4964685EB10AB15E444168B3E0FB8CB88FB54035CF5E87360DF39E947CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787779D6C, Relevance: 6.3, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,?,00007FF787779D19,?,?,00000001,00007FF78777A1DC,?,?,00000000,00007FF78777961B), ref: 00007FF787779DDF
memcpy.MSVCRT ref: 00007FF787779E05
malloc.MSVCRT(?,?,?,00007FF787779D19,?,?,00000001,00007FF78777A1DC,?,?,00000000,00007FF78777961B), ref: 00007FF787779E1E
free.MSVCRT(?,?,00000001,00007FF78777A1DC,?,?,00000000,00007FF78777961B), ref: 00007FF787779E4F
malloc.MSVCRT(?,?,?,00007FF787779D19,?,?,00000001,00007FF78777A1DC,?,?,00000000,00007FF78777961B), ref: 00007FF787779E62

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 6b327da02f4b66161a8b438211b29231804b54f44f3918d6bacbfea3b47141b8
Instruction ID: 73d6d7898082367ebbec2f34b53f53936d662fd19c3f60740437b19d154e93cb
Opcode Fuzzy Hash: 6b327da02f4b66161a8b438211b29231804b54f44f3918d6bacbfea3b47141b8
Instruction Fuzzy Hash: 0E31A462B4E78282EA24AB16A485139F291BF59BC0FB84434DE6F4B750DE7CE453C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787777958, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF787775ED8: ReadFile.KERNEL32 ref: 00007FF787775F03
Part of subcall function 00007FF787775ED8: GetLastError.KERNEL32 ref: 00007FF787775F18

free.MSVCRT ref: 00007FF787777C8A

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787771054: TraceMessage.ADVAPI32 ref: 00007FF7877710D3

Strings

Couldn't read get modes request, xrefs: 00007FF7877779CF
Couldn't send failed get modes reply, xrefs: 00007FF787777AE3
Couldn't send get modes reply, xrefs: 00007FF787777C5F

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressErrorFileFreeHandleLastLibraryMessageModuleProcReadTracefree
String ID: Couldn't read get modes request$Couldn't send failed get modes reply$Couldn't send get modes reply
API String ID: 3163567557-2253135464
Opcode ID: 9d25ff68c4e97d3a068f60eb7c857da43d4bd482bcd648f9a2380c570d88e5df
Instruction ID: cfa35d1746aaf4c0f7535143a3f8ebf98fe69238d8e298676c832952c775cec1
Opcode Fuzzy Hash: 9d25ff68c4e97d3a068f60eb7c857da43d4bd482bcd648f9a2380c570d88e5df
Instruction Fuzzy Hash: DC91CE21A8934A45FB10AB25C444778AB91BB4CBD8FB80435DE1F4B7A2DE3CE547C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787782FA4, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78777A6FC: WaitForSingleObject.KERNEL32 ref: 00007FF78777A70E
Part of subcall function 00007FF78777A6FC: GetLastError.KERNEL32 ref: 00007FF78777A745

Part of subcall function 00007FF7877845F8: malloc.MSVCRT(?,?,?,00007FF78777B687,?,?,00000000,00007FF787771884), ref: 00007FF787784616

memset.MSVCRT ref: 00007FF787783172
memcpy.MSVCRT ref: 00007FF787783186

Strings

GetPooledObject(CTSBufferResult) failed, xrefs: 00007FF787783157
CTSBufferResult::CreateInstance failed!, xrefs: 00007FF787783224

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitmallocmemcpymemset
String ID: CTSBufferResult::CreateInstance failed!$GetPooledObject(CTSBufferResult) failed
API String ID: 3929841220-3175656617
Opcode ID: c67603df36b6529e772b0d1be1e1e7c51d5fe022204663a67dc122fccf7fc288
Instruction ID: 0b3ae857d4707ba5601648dec86470c75bdf0f5013eec37f75c586727362cff8
Opcode Fuzzy Hash: c67603df36b6529e772b0d1be1e1e7c51d5fe022204663a67dc122fccf7fc288
Instruction Fuzzy Hash: B9912C32A49B4681EB10AF29D44426CA7A1FB4CF88FA44431CE5E477A1DF3DE857C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7877849D0, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF787784B33
RtlLookupFunctionEntry.NTDLL ref: 00007FF787784B52
RtlVirtualUnwind.NTDLL ref: 00007FF787784B9F
__raise_securityfailure.LIBCMT ref: 00007FF787784C84

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 0ccfd407d2443cb921c10fd851158e4da18b663346867d21a142956528488def
Instruction ID: cdc3bb2a7fa24b23ad1c79fcf76f1565151253ddeccbacbad4c4ed5a26a87f16
Opcode Fuzzy Hash: 0ccfd407d2443cb921c10fd851158e4da18b663346867d21a142956528488def
Instruction Fuzzy Hash: A0410A35A48B4981EA10AB04F890765B364FB8D748FE04136DEAE87775EF7CE056C728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787772280, Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

SetWindowLongPtrW.USER32 ref: 00007FF7877722BC
GetWindowLongPtrW.USER32 ref: 00007FF7877722DF
DefWindowProcW.USER32 ref: 00007FF787772318
SetWindowLongPtrW.USER32 ref: 00007FF78777233E

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$Proc
String ID:
API String ID: 3468714886-0
Opcode ID: 359dd8b8041dec6f1924884aa443b2f62e472e2bff484227456b18318a8a3b9d
Instruction ID: 59def8bbdf2e420a437ef59197dfa1b95e4807f6f1c47322990fa42f54d6c9cc
Opcode Fuzzy Hash: 359dd8b8041dec6f1924884aa443b2f62e472e2bff484227456b18318a8a3b9d
Instruction Fuzzy Hash: 64214B26B54B5582EA14AF26D440228A7B4FB89FC4FA84531CE6E4B765CF3CE493C314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787773CEC, Relevance: 6.1, APIs: 4, Instructions: 64timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32 ref: 00007FF787773D12
GetLastError.KERNEL32 ref: 00007FF787773D24

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787771010: TraceMessage.ADVAPI32 ref: 00007FF787771047

SetTimer.USER32 ref: 00007FF787773D82
GetLastError.KERNEL32 ref: 00007FF787773D8D

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastTimer$AddressFreeHandleLibraryMessageModuleProcTrace
String ID:
API String ID: 1144889964-0
Opcode ID: a5e2913d2097150f09a27358d3660013af647dbcced26a62ba6de330c482b77b
Instruction ID: b97ac554b74076f974c99906854d8b13dd3d3f40c0bed3bd71640c2b7ce2b138
Opcode Fuzzy Hash: a5e2913d2097150f09a27358d3660013af647dbcced26a62ba6de330c482b77b
Instruction Fuzzy Hash: A631B521B4868685EB51EB25D440728B7A1FB8CB8CFB04435CE6E87665DF3CD453C724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787774D00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?,00007FF787771D4C), ref: 00007FF787774D5E
GetLastError.KERNEL32(?,?,?,?,?,00007FF787771D4C), ref: 00007FF787774D68

Part of subcall function 00007FF78777209C: GetModuleHandleExA.KERNEL32 ref: 00007FF7877720D0
Part of subcall function 00007FF78777209C: GetProcAddress.KERNEL32 ref: 00007FF7877720E6
Part of subcall function 00007FF78777209C: FreeLibrary.KERNEL32 ref: 00007FF787772106

Part of subcall function 00007FF787772124: TraceMessage.ADVAPI32 ref: 00007FF78777214D

Strings

Couldn't destroy pipe thread, xrefs: 00007FF787774E24

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressErrorEventFreeHandleLastLibraryMessageModuleProcTrace
String ID: Couldn't destroy pipe thread
API String ID: 4119523990-2671492076
Opcode ID: 1be1bcb70867283d592b7d2ed479a4cbe57861921791be4935d0343dd60bb6fa
Instruction ID: 6012882cf864e74d86ccc98c91d7178b382443ab5be2218e8e866427f4762f62
Opcode Fuzzy Hash: 1be1bcb70867283d592b7d2ed479a4cbe57861921791be4935d0343dd60bb6fa
Instruction Fuzzy Hash: 41418F21A8864A91EB41AB55E484375A7A1FF8CB98FB40035CF5F4B2A1DF7CE453C364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF787783F34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,?,00000000,00007FF78777A3BB,?,?,?,?,?,00007FF78777A377), ref: 00007FF787783F48
LocalFree.KERNEL32(?,?,?,?,00000000,00007FF78777A3BB,?,?,?,?,?,00007FF78777A377), ref: 00007FF787783F87

Strings

Failed to terminate timer list lock, xrefs: 00007FF787783FE2

Memory Dump Source

Source File: 00000017.00000002.377291001.00007FF787771000.00000020.00020000.sdmp, Offset: 00007FF787770000, based on PE: true

Associated: 00000017.00000002.377277405.00007FF787770000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.377397055.00007FF78778B000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.377423578.00007FF78778C000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$Local
String ID: Failed to terminate timer list lock
API String ID: 4294323854-3788181317
Opcode ID: f4ec0b03e64f2e937984683a7422465b44189c873a9a0a8efdb49a4e14d26feb
Instruction ID: 50e762b512a7b6064f90544dd0dadd9485779aa8dfdbe8bc18c88573db4ade52
Opcode Fuzzy Hash: f4ec0b03e64f2e937984683a7422465b44189c873a9a0a8efdb49a4e14d26feb
Instruction Fuzzy Hash: 3A210721B49A4A85EF54AB19E490278A3A0BF4CB88FB44435CE1E87671DF3CE447C368

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wusa.exe PID: 6940 Parent PID: 3292 wusa.exeCOMMON

Executed Functions

Function 000001D3478A2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001D3478A23B0
VirtualProtect.KERNELBASE ref: 000001D3478A2471
RtlAvlRemoveNode.NTDLL ref: 000001D3478A25B4
VirtualProtect.KERNELBASE ref: 000001D3478A2677

Memory Dump Source

Source File: 0000001C.00000002.404789134.000001D3478A0000.00000040.00000001.sdmp, Offset: 000001D3478A0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 16067045cae826ff5307d18d73c25c9861fa9193836d1cb7d97c2f7938184ce3
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: BCB143B6618BC486DB70CB1AE4417DEB7A1F7C9B80F108026EE8997B58DB7DC9518F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001D3478A2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001D3478A29A8), ref: 000001D3478A20A7

Memory Dump Source

Source File: 0000001C.00000002.404789134.000001D3478A0000.00000040.00000001.sdmp, Offset: 000001D3478A0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: b3905f9fe383db87c494123cb48565796f87c308f573a164e33e11ae00baad83
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 38314CB2615B8086D780DF1AE45579A7BB0F389BD4F205026EF4D87B18DF39C442CB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF6D6598780, Relevance: 59.8, APIs: 17, Strings: 17, Instructions: 266encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D65A6310: malloc.MSVCRT(?,?,00000000,00007FF6D6591C6B), ref: 00007FF6D65A632E

memset.MSVCRT ref: 00007FF6D659881C
LocalFree.KERNEL32 ref: 00007FF6D65988A1
CryptReleaseContext.ADVAPI32 ref: 00007FF6D6598B1B
LocalFree.KERNEL32 ref: 00007FF6D6598B60

Part of subcall function 00007FF6D6599520: EventEnabled.ADVAPI32 ref: 00007FF6D6599564
Part of subcall function 00007FF6D6599520: _vsnprintf.MSVCRT ref: 00007FF6D6599596

Strings

Failed to build security attribute for sandbox, xrefs: 00007FF6D65988B2
Failed to build security attributes, error code %u, xrefs: 00007FF6D659883E
Failed to acquire a key container handle, xrefs: 00007FF6D65988F6
Failed to get directory attributes for %s, error code 0X%x, xrefs: 00007FF6D6598A77
Failed to convert ANSI to Unicode for %s, xrefs: 00007FF6D6598ADF
Failed to allocate memory for temp path, xrefs: 00007FF6D65987FB
Failed to build sandbox directory name, xrefs: 00007FF6D6598A04
Exit with error code 0X%x (%ls), xrefs: 00007FF6D6598879, 00007FF6D6598B3C
Failed to decrypt directory %S, error code %u, xrefs: 00007FF6D6598AA0
CreateSandBoxWorker, xrefs: 00007FF6D65987F1, 00007FF6D65988A7
Failed to create directory %S, error code %u, xrefs: 00007FF6D6598A2B
%02x, xrefs: 00007FF6D659899E
AppModule::Init, xrefs: 00007FF6D659878E
Failed to generate a random number, xrefs: 00007FF6D6598942
Failed to build sandbox full path, xrefs: 00007FF6D65989F3
CSecurityAttribute::GetSecurityAttributes, xrefs: 00007FF6D659884A, 00007FF6D659888D
%s%s, xrefs: 00007FF6D65989DE

Memory Dump Source

Source File: 0000001C.00000002.412893255.00007FF6D6591000.00000020.00020000.sdmp, Offset: 00007FF6D6590000, based on PE: true

Associated: 0000001C.00000002.412881157.00007FF6D6590000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.412915036.00007FF6D65A7000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.412937637.00007FF6D65C6000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.412950713.00007FF6D65C7000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLocal$ContextCryptEnabledEventRelease_vsnprintfmallocmemset
String ID: %02x$%s%s$AppModule::Init$CSecurityAttribute::GetSecurityAttributes$CreateSandBoxWorker$Exit with error code 0X%x (%ls)$Failed to acquire a key container handle$Failed to allocate memory for temp path$Failed to build sandbox directory name$Failed to build sandbox full path$Failed to build security attribute for sandbox$Failed to build security attributes, error code %u$Failed to convert ANSI to Unicode for %s$Failed to create directory %S, error code %u$Failed to decrypt directory %S, error code %u$Failed to generate a random number$Failed to get directory attributes for %s, error code 0X%x
API String ID: 971890446-2746632901
Opcode ID: 96fb142d0df9fc6f0f680b1d6f7e2f148c38a1f388399ba742e576295d4f3870
Instruction ID: 130fc2ffaecc25ece678d5bd0d80cd128ab37a928f63814ae62a4f62ca788a82
Opcode Fuzzy Hash: 96fb142d0df9fc6f0f680b1d6f7e2f148c38a1f388399ba742e576295d4f3870
Instruction Fuzzy Hash: C1B19DA1F08B4B86FB009B61D8507BE22A1BF54788F400537DD4ED7695DF3EE5AA8350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6D6595768, Relevance: 63.3, APIs: 12, Strings: 24, Instructions: 313COMMON

Download Yara Rule

APIs

EventRegister.ADVAPI32(?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF6D659439E), ref: 00007FF6D65957AB
CreateEventW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF6D659439E), ref: 00007FF6D65957E3
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF6D659439E), ref: 00007FF6D65957F2
CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF6D659439E), ref: 00007FF6D6595827
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF6D659439E), ref: 00007FF6D6595C0B
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF6D659439E), ref: 00007FF6D6595C50

Strings

Failed to create event, xrefs: 00007FF6D65957FB
Failed to get STR_COPY_START text, xrefs: 00007FF6D6595B52
Failed to show multiple instance dialog, xrefs: 00007FF6D6595949
Failed to get STR_EXPAND_START_UNINSTALL text, xrefs: 00007FF6D6595B08
Failed to allocate BSTR for application title, xrefs: 00007FF6D6595A18
Failed to initialize COM security, xrefs: 00007FF6D6595880
Failed to initialize COM, xrefs: 00007FF6D6595837
Error: Another instance of wusa.exe is running., xrefs: 00007FF6D6595962
Failed to get STR_EXPAND_START text, xrefs: 00007FF6D6595ABE, 00007FF6D6595AE3
Failed to create sandbox, xrefs: 00007FF6D659598B
Failed to show welcome dialog, xrefs: 00007FF6D6595BEE
Exit with error code 0X%x (%ls), xrefs: 00007FF6D6595C2C
Failure returned by CreateFont(), xrefs: 00007FF6D6595A99
User is not a member of the Administrators group., xrefs: 00007FF6D6595BC1
Failed to get application title text, id %u, xrefs: 00007FF6D65959E9
Failed to initialize critical section, xrefs: 00007FF6D65958B3
Failed to get STR_UNINSTALL_START text, xrefs: 00007FF6D6595B7B
AppModule::Init, xrefs: 00007FF6D65957B3
Failure returned by InitCommonControlsEx(), xrefs: 00007FF6D6595A65
Created sandbox %ls, xrefs: 00007FF6D659599F
, xrefs: 00007FF6D6595A4B
Failed: AppModule::SetScanCabPath(), xrefs: 00007FF6D65959BE
Failed to show non administrator dialog, xrefs: 00007FF6D6595BA8
Failed to get STR_SEARCH_START text, xrefs: 00007FF6D6595B2D

Memory Dump Source

Source File: 0000001C.00000002.412893255.00007FF6D6591000.00000020.00020000.sdmp, Offset: 00007FF6D6590000, based on PE: true

Associated: 0000001C.00000002.412881157.00007FF6D6590000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.412915036.00007FF6D65A7000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.412937637.00007FF6D65C6000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.412950713.00007FF6D65C7000.00000002.00020000.sdmp Download File

Similarity

API ID: EventFreeLocal$CreateErrorInitializeLastRegister
String ID: $AppModule::Init$Created sandbox %ls$Error: Another instance of wusa.exe is running.$Exit with error code 0X%x (%ls)$Failed to allocate BSTR for application title$Failed to create event$Failed to create sandbox$Failed to get STR_COPY_START text$Failed to get STR_EXPAND_START text$Failed to get STR_EXPAND_START_UNINSTALL text$Failed to get STR_SEARCH_START text$Failed to get STR_UNINSTALL_START text$Failed to get application title text, id %u$Failed to initialize COM$Failed to initialize COM security$Failed to initialize critical section$Failed to show multiple instance dialog$Failed to show non administrator dialog$Failed to show welcome dialog$Failed: AppModule::SetScanCabPath()$Failure returned by CreateFont()$Failure returned by InitCommonControlsEx()$User is not a member of the Administrators group.
API String ID: 713711051-1121587626
Opcode ID: bc2327f15a3e2fcc32b09c516dd9ad296b8fc1b8c2ef6f4233b6b412ca7a6041
Instruction ID: 5617315c3d76dea9643c3f321539b248e50469829d0d9bcbaa23a8c5cd8e185a
Opcode Fuzzy Hash: bc2327f15a3e2fcc32b09c516dd9ad296b8fc1b8c2ef6f4233b6b412ca7a6041
Instruction Fuzzy Hash: 45D184A1F0874B86F7149B61D8507BE22A2BF45788F504033DA0ED3A95EF3EF5B58250

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report rPP7AHsBQt

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage