Play interactive tour

Edit tour

Windows Analysis Report 2JlIMkLNXh

Overview

General Information

Sample Name:	2JlIMkLNXh (renamed file extension from none to dll)
Analysis ID:	492758
MD5:	fe213638baba7c73e9addd779b4f078a
SHA1:	e463b86c2e573569643c5e24668bd291d7c2e6b0
SHA256:	27f32618162b8a522fc5fb8fb832848acb724cf2ac0c03b8488b2c405c582d6a
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Stores files to the Windows start menu directory

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Creates a start menu entry (Start Menu\Programs\Startup)

PE file contains more sections than normal

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 576 cmdline: loaddll64.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)

cmd.exe (PID: 4192 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 3240 cmdline: rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4656 cmdline: rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReader MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

mstsc.exe (PID: 6340 cmdline: C:\Windows\system32\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)

mstsc.exe (PID: 6412 cmdline: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)

tcmsetup.exe (PID: 6516 cmdline: C:\Windows\system32\tcmsetup.exe MD5: 0DDA495155D552D024593C4B3246C8FA)

tcmsetup.exe (PID: 6564 cmdline: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe MD5: 0DDA495155D552D024593C4B3246C8FA)

rundll32.exe (PID: 4920 cmdline: rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingCodePage MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1320 cmdline: rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingName MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6476 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 6880 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.251743405.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000008.00000002.257720074.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000016.00000002.374374689.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.342710737.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000000A.00000002.266384036.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001A.00000002.394057525.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 2 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 2JlIMkLNXh.dll	Virustotal: Detection: 69%			Perma Link
Source: 2JlIMkLNXh.dll	ReversingLabs: Detection: 77%

Antivirus / Scanner detection for submitted sample

Show sources

Source: 2JlIMkLNXh.dll

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\fJxx4Zu\Secur32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\YTBx\TAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Show sources

Source: 2JlIMkLNXh.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\fJxx4Zu\Secur32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\YTBx\TAPI32.dll	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66038F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,		22_2_00007FF66038F8FC
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66038F52C CryptProtectData,LocalAlloc,LocalFree,		22_2_00007FF66038F52C

Source: 2JlIMkLNXh.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 0000001A.00000002.396429256.00007FF6193B3000.00000002.00020000.sdmp, tcmsetup.exe.6.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000016.00000000.351116745.00007FF660434000.00000002.00020000.sdmp, mstsc.exe.6.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 00000016.00000000.351116745.00007FF660434000.00000002.00020000.sdmp, mstsc.exe.6.dr
Source:	Binary string: tcmsetup.pdb source: tcmsetup.exe, 0000001A.00000002.396429256.00007FF6193B3000.00000002.00020000.sdmp, tcmsetup.exe.6.dr

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005D290 FindFirstFileExW,

1_2_000000014005D290

Source: explorer.exe, 0000001C.00000002.783735126.0000000006A87000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000000.305635273.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.miC
Source: explorer.exe, 00000006.00000000.305635273.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microso
Source: explorer.exe, 00000006.00000000.305635273.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.c
Source: explorer.exe, 00000006.00000000.288544187.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.co

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000005.00000002.251743405.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.257720074.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.374374689.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.342710737.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.266384036.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.394057525.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034870	1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035270	1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140048AC0	1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C340	1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140065B80	1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0	1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400524B0	1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026CC0	1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004BD40	1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400495B0	1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036F30	1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069010	1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001010	1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140066020	1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F840	1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D850	1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064080	1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140010880	1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400688A0	1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D0D0	1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400018D0	1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016100	1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D100	1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A110	1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D910	1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015120	1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000B120	1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F940	1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140039140	1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023140	1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057950	1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E170	1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002980	1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400611A0	1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400389A0	1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400381A0	1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E1B0	1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400139D0	1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400319F0	1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EA00	1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022A00	1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B220	1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067A40	1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069A50	1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007A60	1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003AAC0	1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A2E0	1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140062B00	1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018300	1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FB20	1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031340	1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022340	1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017B40	1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BB40	1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004EB60	1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005370	1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CB80	1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B390	1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140054BA0	1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033BB0	1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400263C0	1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400123C0	1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063BD0	1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400663F0	1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023BF0	1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B41B	1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B424	1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B42D	1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B436	1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B43D	1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024440	1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005C40	1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B446	1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005F490	1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022D00	1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035520	1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019D20	1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030530	1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023530	1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031540	1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033540	1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014007BD50	1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140078570	1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019580	1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400205A0	1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025DB0	1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140071DC0	1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000C5C0	1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002DDE0	1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031DF0	1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000DDF0	1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001620	1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018630	1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032650	1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064E80	1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016E80	1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007EA0	1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400286B0	1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006EB0	1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400276C0	1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FEC0	1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EED0	1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B6E0	1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053F20	1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022730	1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029780	1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018F80	1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003EFB0	1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400067B0	1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400667D0	1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060FE0	1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603239A0	22_2_00007FF6603239A0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66032CE08	22_2_00007FF66032CE08
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603235EC	22_2_00007FF6603235EC
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660328DF0	22_2_00007FF660328DF0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603A1690	22_2_00007FF6603A1690
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66031DA8C	22_2_00007FF66031DA8C
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66032EAB4	22_2_00007FF66032EAB4
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660354320	22_2_00007FF660354320
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660314EC4	22_2_00007FF660314EC4
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603312E0	22_2_00007FF6603312E0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660316B94	22_2_00007FF660316B94
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660315410	22_2_00007FF660315410
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603277C0	22_2_00007FF6603277C0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66032A858	22_2_00007FF66032A858
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660328060	22_2_00007FF660328060
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603284C0	22_2_00007FF6603284C0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603264DC	22_2_00007FF6603264DC
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Code function: 26_2_00007FF6193B1A38	26_2_00007FF6193B1A38

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046C90 NtClose,		1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0 NtQuerySystemInformation,		1_2_000000014006A4B0

Source: 2JlIMkLNXh.dll

Binary or memory string: OriginalFilenamekbdyj% vs 2JlIMkLNXh.dll

Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiribbon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: networkexplorer.dll	Jump to behavior

Source: Secur32.dll.6.dr	Static PE information: Number of sections : 52 > 10
Source: TAPI32.dll.6.dr	Static PE information: Number of sections : 52 > 10
Source: 2JlIMkLNXh.dll	Static PE information: Number of sections : 51 > 10

Source: 2JlIMkLNXh.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Secur32.dll.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TAPI32.dll.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 2JlIMkLNXh.dll	Virustotal: Detection: 69%
Source: 2JlIMkLNXh.dll	ReversingLabs: Detection: 77%

Source: 2JlIMkLNXh.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReader
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingCodePage
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe C:\Users\user\AppData\Local\YTBx\tcmsetup.exe
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReader	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingCodePage	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@21/5@0/0

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF660358E00 memset,memset,memset,memset,memset,PathStripPathW,PathFindExtensionW,CharLowerW,PathRemoveFileSpecW,CharLowerW,CharLowerW,CoCreateInstance,LocalFree,

22_2_00007FF660358E00

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReader

Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\{080b51e7-5243-64c4-ebc3-67abce22293e}
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\{4646cca1-0c19-80c6-1a2a-cb48f0801431}

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF660314EC4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,free,free,

22_2_00007FF660314EC4

Source: unknown

Process created: C:\Windows\explorer.exe

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\MsftEdit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 2JlIMkLNXh.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: 2JlIMkLNXh.dll

Static file information: File size 1941504 > 1048576

Source: 2JlIMkLNXh.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 0000001A.00000002.396429256.00007FF6193B3000.00000002.00020000.sdmp, tcmsetup.exe.6.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000016.00000000.351116745.00007FF660434000.00000002.00020000.sdmp, mstsc.exe.6.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 00000016.00000000.351116745.00007FF660434000.00000002.00020000.sdmp, mstsc.exe.6.dr
Source:	Binary string: tcmsetup.pdb source: tcmsetup.exe, 0000001A.00000002.396429256.00007FF6193B3000.00000002.00020000.sdmp, tcmsetup.exe.6.dr

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140056A4D push rdi; ret

1_2_0000000140056A4E

Source: 2JlIMkLNXh.dll	Static PE information: section name: .qkm
Source: 2JlIMkLNXh.dll	Static PE information: section name: .cvjb
Source: 2JlIMkLNXh.dll	Static PE information: section name: .tlmkv
Source: 2JlIMkLNXh.dll	Static PE information: section name: .wucsxe
Source: 2JlIMkLNXh.dll	Static PE information: section name: .fltwtj
Source: 2JlIMkLNXh.dll	Static PE information: section name: .sfplio
Source: 2JlIMkLNXh.dll	Static PE information: section name: .rpg
Source: 2JlIMkLNXh.dll	Static PE information: section name: .bewzc
Source: 2JlIMkLNXh.dll	Static PE information: section name: .vksvaw
Source: 2JlIMkLNXh.dll	Static PE information: section name: .wmhg
Source: 2JlIMkLNXh.dll	Static PE information: section name: .kswemc
Source: 2JlIMkLNXh.dll	Static PE information: section name: .kaxfk
Source: 2JlIMkLNXh.dll	Static PE information: section name: .pjf
Source: 2JlIMkLNXh.dll	Static PE information: section name: .retjqj
Source: 2JlIMkLNXh.dll	Static PE information: section name: .mizn
Source: 2JlIMkLNXh.dll	Static PE information: section name: .rsrub
Source: 2JlIMkLNXh.dll	Static PE information: section name: .susbqq
Source: 2JlIMkLNXh.dll	Static PE information: section name: .jeojcw
Source: 2JlIMkLNXh.dll	Static PE information: section name: .vwl
Source: 2JlIMkLNXh.dll	Static PE information: section name: .mub
Source: 2JlIMkLNXh.dll	Static PE information: section name: .xwxpmb
Source: 2JlIMkLNXh.dll	Static PE information: section name: .aea
Source: 2JlIMkLNXh.dll	Static PE information: section name: .lwpch
Source: 2JlIMkLNXh.dll	Static PE information: section name: .nzgp
Source: 2JlIMkLNXh.dll	Static PE information: section name: .qimx
Source: 2JlIMkLNXh.dll	Static PE information: section name: .jbqbr
Source: 2JlIMkLNXh.dll	Static PE information: section name: .kxxxil
Source: 2JlIMkLNXh.dll	Static PE information: section name: .drpaa
Source: 2JlIMkLNXh.dll	Static PE information: section name: .lepjc
Source: 2JlIMkLNXh.dll	Static PE information: section name: .ywrsat
Source: 2JlIMkLNXh.dll	Static PE information: section name: .ialjct
Source: 2JlIMkLNXh.dll	Static PE information: section name: .ujrqkf
Source: 2JlIMkLNXh.dll	Static PE information: section name: .lwaoje
Source: 2JlIMkLNXh.dll	Static PE information: section name: .pces
Source: 2JlIMkLNXh.dll	Static PE information: section name: .zuizg
Source: 2JlIMkLNXh.dll	Static PE information: section name: .upz
Source: 2JlIMkLNXh.dll	Static PE information: section name: .wxuh
Source: 2JlIMkLNXh.dll	Static PE information: section name: .fsdfq
Source: 2JlIMkLNXh.dll	Static PE information: section name: .xxlo
Source: 2JlIMkLNXh.dll	Static PE information: section name: .hcxtgl
Source: 2JlIMkLNXh.dll	Static PE information: section name: .owbx
Source: 2JlIMkLNXh.dll	Static PE information: section name: .phg
Source: 2JlIMkLNXh.dll	Static PE information: section name: .trmoj
Source: 2JlIMkLNXh.dll	Static PE information: section name: .zaixaf
Source: 2JlIMkLNXh.dll	Static PE information: section name: .myzf
Source: mstsc.exe.6.dr	Static PE information: section name: .didat
Source: Secur32.dll.6.dr	Static PE information: section name: .qkm
Source: Secur32.dll.6.dr	Static PE information: section name: .cvjb
Source: Secur32.dll.6.dr	Static PE information: section name: .tlmkv
Source: Secur32.dll.6.dr	Static PE information: section name: .wucsxe
Source: Secur32.dll.6.dr	Static PE information: section name: .fltwtj
Source: Secur32.dll.6.dr	Static PE information: section name: .sfplio
Source: Secur32.dll.6.dr	Static PE information: section name: .rpg
Source: Secur32.dll.6.dr	Static PE information: section name: .bewzc
Source: Secur32.dll.6.dr	Static PE information: section name: .vksvaw
Source: Secur32.dll.6.dr	Static PE information: section name: .wmhg
Source: Secur32.dll.6.dr	Static PE information: section name: .kswemc
Source: Secur32.dll.6.dr	Static PE information: section name: .kaxfk
Source: Secur32.dll.6.dr	Static PE information: section name: .pjf
Source: Secur32.dll.6.dr	Static PE information: section name: .retjqj
Source: Secur32.dll.6.dr	Static PE information: section name: .mizn
Source: Secur32.dll.6.dr	Static PE information: section name: .rsrub
Source: Secur32.dll.6.dr	Static PE information: section name: .susbqq
Source: Secur32.dll.6.dr	Static PE information: section name: .jeojcw
Source: Secur32.dll.6.dr	Static PE information: section name: .vwl
Source: Secur32.dll.6.dr	Static PE information: section name: .mub
Source: Secur32.dll.6.dr	Static PE information: section name: .xwxpmb
Source: Secur32.dll.6.dr	Static PE information: section name: .aea
Source: Secur32.dll.6.dr	Static PE information: section name: .lwpch
Source: Secur32.dll.6.dr	Static PE information: section name: .nzgp
Source: Secur32.dll.6.dr	Static PE information: section name: .qimx
Source: Secur32.dll.6.dr	Static PE information: section name: .jbqbr
Source: Secur32.dll.6.dr	Static PE information: section name: .kxxxil
Source: Secur32.dll.6.dr	Static PE information: section name: .drpaa
Source: Secur32.dll.6.dr	Static PE information: section name: .lepjc
Source: Secur32.dll.6.dr	Static PE information: section name: .ywrsat
Source: Secur32.dll.6.dr	Static PE information: section name: .ialjct
Source: Secur32.dll.6.dr	Static PE information: section name: .ujrqkf
Source: Secur32.dll.6.dr	Static PE information: section name: .lwaoje
Source: Secur32.dll.6.dr	Static PE information: section name: .pces
Source: Secur32.dll.6.dr	Static PE information: section name: .zuizg
Source: Secur32.dll.6.dr	Static PE information: section name: .upz
Source: Secur32.dll.6.dr	Static PE information: section name: .wxuh
Source: Secur32.dll.6.dr	Static PE information: section name: .fsdfq
Source: Secur32.dll.6.dr	Static PE information: section name: .xxlo
Source: Secur32.dll.6.dr	Static PE information: section name: .hcxtgl
Source: Secur32.dll.6.dr	Static PE information: section name: .owbx
Source: Secur32.dll.6.dr	Static PE information: section name: .phg
Source: Secur32.dll.6.dr	Static PE information: section name: .trmoj
Source: Secur32.dll.6.dr	Static PE information: section name: .zaixaf
Source: Secur32.dll.6.dr	Static PE information: section name: .myzf
Source: Secur32.dll.6.dr	Static PE information: section name: .jdkzt
Source: TAPI32.dll.6.dr	Static PE information: section name: .qkm
Source: TAPI32.dll.6.dr	Static PE information: section name: .cvjb
Source: TAPI32.dll.6.dr	Static PE information: section name: .tlmkv
Source: TAPI32.dll.6.dr	Static PE information: section name: .wucsxe
Source: TAPI32.dll.6.dr	Static PE information: section name: .fltwtj
Source: TAPI32.dll.6.dr	Static PE information: section name: .sfplio
Source: TAPI32.dll.6.dr	Static PE information: section name: .rpg
Source: TAPI32.dll.6.dr	Static PE information: section name: .bewzc
Source: TAPI32.dll.6.dr	Static PE information: section name: .vksvaw
Source: TAPI32.dll.6.dr	Static PE information: section name: .wmhg
Source: TAPI32.dll.6.dr	Static PE information: section name: .kswemc
Source: TAPI32.dll.6.dr	Static PE information: section name: .kaxfk
Source: TAPI32.dll.6.dr	Static PE information: section name: .pjf
Source: TAPI32.dll.6.dr	Static PE information: section name: .retjqj
Source: TAPI32.dll.6.dr	Static PE information: section name: .mizn
Source: TAPI32.dll.6.dr	Static PE information: section name: .rsrub
Source: TAPI32.dll.6.dr	Static PE information: section name: .susbqq
Source: TAPI32.dll.6.dr	Static PE information: section name: .jeojcw
Source: TAPI32.dll.6.dr	Static PE information: section name: .vwl
Source: TAPI32.dll.6.dr	Static PE information: section name: .mub
Source: TAPI32.dll.6.dr	Static PE information: section name: .xwxpmb
Source: TAPI32.dll.6.dr	Static PE information: section name: .aea
Source: TAPI32.dll.6.dr	Static PE information: section name: .lwpch
Source: TAPI32.dll.6.dr	Static PE information: section name: .nzgp
Source: TAPI32.dll.6.dr	Static PE information: section name: .qimx
Source: TAPI32.dll.6.dr	Static PE information: section name: .jbqbr
Source: TAPI32.dll.6.dr	Static PE information: section name: .kxxxil
Source: TAPI32.dll.6.dr	Static PE information: section name: .drpaa
Source: TAPI32.dll.6.dr	Static PE information: section name: .lepjc
Source: TAPI32.dll.6.dr	Static PE information: section name: .ywrsat
Source: TAPI32.dll.6.dr	Static PE information: section name: .ialjct
Source: TAPI32.dll.6.dr	Static PE information: section name: .ujrqkf
Source: TAPI32.dll.6.dr	Static PE information: section name: .lwaoje
Source: TAPI32.dll.6.dr	Static PE information: section name: .pces
Source: TAPI32.dll.6.dr	Static PE information: section name: .zuizg
Source: TAPI32.dll.6.dr	Static PE information: section name: .upz
Source: TAPI32.dll.6.dr	Static PE information: section name: .wxuh
Source: TAPI32.dll.6.dr	Static PE information: section name: .fsdfq
Source: TAPI32.dll.6.dr	Static PE information: section name: .xxlo
Source: TAPI32.dll.6.dr	Static PE information: section name: .hcxtgl
Source: TAPI32.dll.6.dr	Static PE information: section name: .owbx
Source: TAPI32.dll.6.dr	Static PE information: section name: .phg
Source: TAPI32.dll.6.dr	Static PE information: section name: .trmoj
Source: TAPI32.dll.6.dr	Static PE information: section name: .zaixaf
Source: TAPI32.dll.6.dr	Static PE information: section name: .myzf
Source: TAPI32.dll.6.dr	Static PE information: section name: .shcm

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF66032BEA0 LoadLibraryW,GetProcAddress,GetProcAddress,

22_2_00007FF66032BEA0

Source: Secur32.dll.6.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1dca59
Source: TAPI32.dll.6.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1e59ee
Source: 2JlIMkLNXh.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x1e406b

Source: mstsc.exe.6.dr

Static PE information: 0xB359C414 [Fri May 8 10:36:04 2065 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\YTBx\TAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fJxx4Zu\Secur32.dll	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GU

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GU

Jump to behavior

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603239A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,	22_2_00007FF6603239A0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66031F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,	22_2_00007FF66031F5A4
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66039C560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,	22_2_00007FF66039C560
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66031CE48 IsIconic,GetWindowPlacement,GetLastError,	22_2_00007FF66031CE48
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660319A6C IsIconic,GetWindowPlacement,GetWindowRect,	22_2_00007FF660319A6C
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66031CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,	22_2_00007FF66031CF28
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660321B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,	22_2_00007FF660321B44
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660322F5C IsWindowVisible,IsIconic,	22_2_00007FF660322F5C
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660322884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,	22_2_00007FF660322884
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603204F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,	22_2_00007FF6603204F8

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005C340 GetSystemInfo,

1_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005D290 FindFirstFileExW,

1_2_000000014005D290

Source: explorer.exe, 0000001C.00000003.478164779.0000000008602000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B1
Source: explorer.exe, 0000001C.00000002.789331719.0000000008516000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001C.00000002.787223635.00000000082AD000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001C.00000003.458285250.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000001C.00000003.468597864.0000000008588000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}GONSERV
Source: explorer.exe, 0000001C.00000003.456622279.0000000006B27000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}esgZ
Source: explorer.exe, 0000001C.00000003.713931534.00000000082DC000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.456244015.0000000008516000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.252365474.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000006.00000000.285201603.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 0000001C.00000002.799922387.000000000EA40000.00000004.00000001.sdmp	Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f
Source: explorer.exe, 0000001C.00000002.787223635.00000000082AD000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}indows.Cortana_cw5n1h2txyewB
Source: explorer.exe, 0000001C.00000003.458285250.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:&
Source: explorer.exe, 0000001C.00000002.799922387.000000000EA40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
Source: explorer.exe, 0000001C.00000003.707657930.00000000082D2000.00000004.00000001.sdmp	Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001C.00000003.478182163.0000000008605000.00000004.00000001.sdmp	Binary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.713931534.00000000082DC000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e`~
Source: explorer.exe, 00000006.00000000.285663277.0000000008A9D000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}::
Source: explorer.exe, 0000001C.00000003.411015605.0000000006AFC000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}escriptionGIf p
Source: explorer.exe, 0000001C.00000003.466074498.0000000008456000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}""
Source: explorer.exe, 00000006.00000000.285201603.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000001C.00000003.707002128.0000000006A87000.00000004.00000001.sdmp	Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: explorer.exe, 0000001C.00000003.713931534.00000000082DC000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dh
Source: explorer.exe, 0000001C.00000003.709433811.00000000082D3000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
Source: explorer.exe, 0000001C.00000003.477096819.0000000008594000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} 032: "33"
Source: explorer.exe, 0000001C.00000003.469308444.0000000008453000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bx
Source: explorer.exe, 0000001C.00000003.713931534.00000000082DC000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000001C.00000002.799922387.000000000EA40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*
Source: explorer.exe, 0000001C.00000003.705969758.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bj
Source: explorer.exe, 0000001C.00000003.707657930.00000000082D2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001C.00000003.467430701.0000000008458000.00000004.00000001.sdmp	Binary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}""
Source: explorer.exe, 0000001C.00000003.459210102.0000000006B27000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.477081008.0000000008589000.00000004.00000001.sdmp	Binary or memory string: 806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-
Source: explorer.exe, 0000001C.00000003.707657930.00000000082D2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BC_C
Source: explorer.exe, 0000001C.00000003.477013843.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bg
Source: explorer.exe, 0000001C.00000003.707591229.000000000EA9C000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 0000001C.00000003.459210102.0000000006B27000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9:b
Source: explorer.exe, 0000001C.00000003.707657930.00000000082D2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BY
Source: explorer.exe, 0000001C.00000003.708597221.0000000006B78000.00000004.00000001.sdmp	Binary or memory string: 2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001C.00000003.468687386.0000000008450000.00000004.00000001.sdmp	Binary or memory string: 11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f563q
Source: explorer.exe, 0000001C.00000002.783735126.0000000006A87000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: explorer.exe, 0000001C.00000003.713873275.0000000006B7A000.00000004.00000001.sdmp	Binary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.478451454.0000000008602000.00000004.00000001.sdmp	Binary or memory string: 11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bj
Source: explorer.exe, 0000001C.00000003.707566012.000000000EA94000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lesPSM
Source: explorer.exe, 0000001C.00000003.455188887.00000000084EE000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ProgramN
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ows\Sys
Source: explorer.exe, 00000006.00000000.255467881.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 0000001C.00000003.466988755.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B\|
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}am File
Source: explorer.exe, 0000001C.00000002.787930036.00000000083C3000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF66032BEA0 LoadLibraryW,GetProcAddress,GetProcAddress,

22_2_00007FF66032BEA0

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,

1_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660432264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00007FF660432264
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Code function: 26_2_00007FF6193B2330 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_00007FF6193B2330
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Code function: 26_2_00007FF6193B2530 SetUnhandledExceptionFilter,	26_2_00007FF6193B2530

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: Secur32.dll.6.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe

Code function: 26_2_00007FF6193B1618 HeapSetInformation,GetModuleHandleW,LoadStringW,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetCommandLineW,

26_2_00007FF6193B1618

Source: explorer.exe, 0000001C.00000002.772768256.0000000000A37000.00000004.00000020.sdmp	Binary or memory string: Progmanrogram File
Source: explorer.exe, 00000006.00000000.276761829.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000002.782481746.0000000004FA0000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.252570981.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.782481746.0000000004FA0000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.252570981.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000000.294598051.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000000.252570981.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000000.252570981.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.776559903.0000000001180000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001C.00000003.402079483.00000000044C4000.00000004.00000001.sdmp	Binary or memory string: ProgmanaY
Source: explorer.exe, 0000001C.00000002.780622795.0000000004440000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd*
Source: explorer.exe, 0000001C.00000002.776559903.0000000001180000.00000002.00020000.sdmp	Binary or memory string: ZProgram Manageri

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Queries volume information: unknown VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF66041D15C GetSystemTime,SystemTimeToFileTime,EventActivityIdControl,

22_2_00007FF66041D15C

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF66042F5EC memset,GetVersionExW,GetVersionExW,

22_2_00007FF66042F5EC

Source: explorer.exe, 0000001C.00000003.449554775.0000000008433000.00000004.00000001.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Startup Items1	Startup Items1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Registry Run Keys / Startup Folder2	Process Injection312	Virtualization/Sandbox Evasion1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	DLL Side-Loading1	Registry Run Keys / Startup Folder2	Process Injection312	Security Account Manager	Security Software Discovery21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	DLL Side-Loading1	Obfuscated Files or Information2	NTDS	Virtualization/Sandbox Evasion1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	System Information Discovery25	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2JlIMkLNXh.dll	69%	Virustotal		Browse
2JlIMkLNXh.dll	78%	ReversingLabs	Win64.Infostealer.Dridex
2JlIMkLNXh.dll	100%	Avira	HEUR/AGEN.1114452
2JlIMkLNXh.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\fJxx4Zu\Secur32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\YTBx\TAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\fJxx4Zu\Secur32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\YTBx\TAPI32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
26.2.tcmsetup.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
22.2.mstsc.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll64.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.microso	0%	URL Reputation	safe
http://schemas.microsoft.c	0%	URL Reputation	safe
http://schemas.miC	0%	Avira URL Cloud	safe
http://schemas.microsoft.co	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.microso	explorer.exe, 00000006.00000000.305635273.000000000DC20000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.microsoft.c	explorer.exe, 00000006.00000000.305635273.000000000DC20000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.miC	explorer.exe, 00000006.00000000.305635273.000000000DC20000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.microsoft.co	explorer.exe, 00000006.00000000.288544187.000000000DC20000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492758
Start date:	29.09.2021
Start time:	00:33:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2JlIMkLNXh (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@21/5@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 20.8% (good quality ratio 14.1%) Quality average: 50.1% Quality standard deviation: 41.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.210.154, 173.222.108.226, 173.222.108.210, 40.112.88.60, 20.50.102.62, 80.67.82.211, 80.67.82.235, 23.203.80.193, 51.104.136.2, 20.54.110.249, 20.82.209.104, 204.79.197.200, 13.107.21.200, 52.182.143.212 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, onedsblobprdcus15.centralus.cloudapp.azure.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:35:44	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GU
00:35:45	API Interceptor	1326x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	oB4wShoM81.dll	Get hash	malicious	Browse
	5s7H5yP0YA.dll	Get hash	malicious	Browse
	wr3PdlRKjL.dll	Get hash	malicious	Browse
	PSnPApRPsG.dll	Get hash	malicious	Browse
	N37wjZ34KC.dll	Get hash	malicious	Browse
	e75OHzYF9S.dll	Get hash	malicious	Browse
	Z3Asq5R56C.dll	Get hash	malicious	Browse
	Y7KrNvSxWx.dll	Get hash	malicious	Browse
	8yQieH8k8q.dll	Get hash	malicious	Browse
	5pG7H5XLEj.dll	Get hash	malicious	Browse
	40TWLYCrEf.dll	Get hash	malicious	Browse
	BUal7Z7t7a.dll	Get hash	malicious	Browse
	mmM8TEnV8t.dll	Get hash	malicious	Browse
	d3bWgdGpkZ.dll	Get hash	malicious	Browse
	0oSZeHvzK2.dll	Get hash	malicious	Browse
	neTLYArwd7.dll	Get hash	malicious	Browse
	hDeUA0Ag8C.dll	Get hash	malicious	Browse
	gKibedwOnl.dll	Get hash	malicious	Browse
	b2e1YcSctb.dll	Get hash	malicious	Browse
	l7ytx2QXnx.dll	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\YTBx\TAPI32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1949696
Entropy (8bit):	3.847240274529997
Encrypted:	false
SSDEEP:	12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	2DB379C0F1D84F594F99640DF0EC1C86
SHA1:	276A4C43DE33BE489DC83520FF470CB24D959205
SHA-256:	16B57B8D107E0E5C08D74FA5B3B63D346415E85301B121186D2CED0A0D5F407E
SHA-512:	6AD20F570B6038397DDCFCC5AFD2CECD8D17F0E12337F90602595CC7350D57584A52546EA49E6490E167736E4F93DC820E1154CAB138AD3D14622E05508FF517
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.4..DN^.........." ................p..........@....................................@lx}..b.............................................V....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\YTBx\tcmsetup.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	4.999998588063228
Encrypted:	false
SSDEEP:	192:DIzBdu2Mhf/+G1jQ0pwPYqLmdO0O7RgZiLtzADWO4hxDcUh6UdBndOvfSWG0oW:GMVJjQ0dg0O7yk5ciJcUhLiSWG0oW
MD5:	0DDA495155D552D024593C4B3246C8FA
SHA1:	7501A7AD5DAA41462BEFF9127154BAF261A24A5B
SHA-256:	D3074CBD29678CA612C1F8AA93DE1F5B75108BE8187F0F2A2331BC302AD48CD9
SHA-512:	9159D8AF457591256BA87443E89ECE942DE40B8FF39586116C2026330B8AE9C20F96905547E87D98508951D2B4687069EFD018CC9E4A6C94A6C26D4B587F41B3
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: oB4wShoM81.dll, Detection: malicious, Browse Filename: 5s7H5yP0YA.dll, Detection: malicious, Browse Filename: wr3PdlRKjL.dll, Detection: malicious, Browse Filename: PSnPApRPsG.dll, Detection: malicious, Browse Filename: N37wjZ34KC.dll, Detection: malicious, Browse Filename: e75OHzYF9S.dll, Detection: malicious, Browse Filename: Z3Asq5R56C.dll, Detection: malicious, Browse Filename: Y7KrNvSxWx.dll, Detection: malicious, Browse Filename: 8yQieH8k8q.dll, Detection: malicious, Browse Filename: 5pG7H5XLEj.dll, Detection: malicious, Browse Filename: 40TWLYCrEf.dll, Detection: malicious, Browse Filename: BUal7Z7t7a.dll, Detection: malicious, Browse Filename: mmM8TEnV8t.dll, Detection: malicious, Browse Filename: d3bWgdGpkZ.dll, Detection: malicious, Browse Filename: 0oSZeHvzK2.dll, Detection: malicious, Browse Filename: neTLYArwd7.dll, Detection: malicious, Browse Filename: hDeUA0Ag8C.dll, Detection: malicious, Browse Filename: gKibedwOnl.dll, Detection: malicious, Browse Filename: b2e1YcSctb.dll, Detection: malicious, Browse Filename: l7ytx2QXnx.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............Z...Z...Z..[...Z..[...Z..[...Z..[...Z...Z...Z..[...Z.:Z...Z..[...ZRich...Z................PE..d....E.H.........."..........,....... .........@..........................................`.......... .......................................9..x....p..P....`..D............... ....5..T............................0...............1...............................text............................... ..`.rdata..&....0......................@..@.data... ....P.......0..............@....pdata..D....`.......2..............@..@.rsrc...P....p.......4..............@..@.reloc.. ............>..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\fJxx4Zu\Secur32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945600
Entropy (8bit):	3.837322257119322
Encrypted:	false
SSDEEP:	12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	05BACE1B34170BF867B1462BD982E0C6
SHA1:	657AF7B197381CCA16204428730E105DB9F42BA7
SHA-256:	92D65FB15281A70FC6749A5ECC43BBC4B680497AEFA7E82182018F05DED98826
SHA-512:	5E45E93763FFB8A3E83BE512F55DDF2C75CF6B6B654A849735AE1049A8F0115AD01E19011ACF9D62C7175FC30B003659E43659A18991F5D1205DA95F0102A830
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.4..DN^.........." ................p..........@....................................@lx}..b.............................................#....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3640832
Entropy (8bit):	5.884402821447862
Encrypted:	false
SSDEEP:	98304:q8yNOTNEpZxGb+ZPgN6tYDNBMe+8noqvEYw0n2WFfZT+xgsLOsMg:q8yNOTNEpZxk+ZIN6tYDNBMe+8noqvEB
MD5:	3FBB5CD8829E9533D0FF5819DB0444C0
SHA1:	A4A6E4E50421E57EA4745BA44568B107A9369447
SHA-256:	043870DBAB955C1851E1710D941495357383A08F3F30DD3E3A1945583A85E0CA
SHA-512:	349459CCF4DDFB0B05B066869C99088BA3012930D5BBC3ED1C9E4CF6400687B1EFE698C5B1734BF6FF299F6C65DD7A71A2709D3773E9E96F6FDE659F5D883F48
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... w.dN$.dN$.dN$..M%.dN$..J%.dN$..K%.dN$..O%.dN$.dO$TfN$..G%.eN$...$.dN$..L%.dN$Rich.dN$........PE..d.....Y..........."......$....%.....p..........@..............................7......K8...`..................................................].......p..H>!.....`.............7. ..P...T...........................`...............`........\..`....................text....".......$.................. ..`.rdata...\...@...^...(..............@..@.data...P(..........................@....pdata..`...........................@..@.didat..(....`....... ..............@....rsrc...H>!..p...@!.."..............@..@.reloc.. ....7..,...b7.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	4447
Entropy (8bit):	5.480585654433585
Encrypted:	false
SSDEEP:	48:JcwUc3+5j2KMXDFaQwSluTIQcvVJ6cwUcAx54iurf/BjbJxjIxlPcuZJYmm:Jjzgj+TFmWuyyjcD0z/lNx0vg
MD5:	8F8C26181663A67A34214741DE21A3D0
SHA1:	6582F9AC92CDED35B3F82538E11A5D20957FA931
SHA-256:	A77369687E9FC82C8208FD8415EEC9D98CD332011C772CCDADA93F9202D11E63
SHA-512:	6DD67B4D5E94B76FB54BB17423CFD91D90B8451D0B137622A94717C29B27433F2E25BECD057C4DEFD1EA75DC0C8F3401CFF7D223784930E580F881763C4F1FF4
Malicious:	false
Preview:	........................................user.........................................user.....................RSA1................Y..uEZ..b^.......V...q..3..wO_q.....E_~.=.=g....A...m...z...H.-..Nc..>......_X........,...cD+..%..7...7k.U=.h....1...0.`!.....................z..O.......I..)..L.tMN.p......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .....n....7.$Y...5..k.c.Q./.4u_............... ...q3_3.,!.m.6...s.at.).....iI.9y....V.?q.........>...p7.dO.'i.d^<)g.Ws.......~....{..f._#......Zm..c......Z...e....e.S2....]$f....6.7....VFy7....\a.iSW..w...q..H.x.....-.}.q........P\|.U....LpK..G)P.].......E..X<..1...`......4...PX.UF...'p....N..W.._Y.g.I.O.@..Ih.Ht..L..j.0Z..y!..w.s@.{AF\/.S.m.z..+.H.....ch....R}.3.W.R...........(.o..}..........[5.R...-m%.[....o...F.Z7d..,......8.:..T.7.4.......Bo#.z.W- 9.6\|.....m.....s.....z.k..p..++....5b/d.~..,If....P..(......u............Q.:.E#.w.R....VHF..EX..d.u&XWOm8..-....]%9./..}.~.-.}j..H..

Static File Info

General
File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	3.831979748392846
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	2JlIMkLNXh.dll
File size:	1941504
MD5:	fe213638baba7c73e9addd779b4f078a
SHA1:	e463b86c2e573569643c5e24668bd291d7c2e6b0
SHA256:	27f32618162b8a522fc5fb8fb832848acb724cf2ac0c03b8488b2c405c582d6a
SHA512:	2bafcee6542db5f32c4a181ed745c7a6944382d2b3a730c4444b6d8ce8d81f195c2c7c3c7d2b492db3de815e2b50f690455f0c86ba3595667da27d1ff0f3582e
SSDEEP:	12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|.

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x140041070
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6668be91e2c948b183827f040944057f

Entrypoint Preview

Instruction
dec eax
xor eax, eax
dec eax
add eax, 5Ah
dec eax
mov dword ptr [00073D82h], ecx
dec eax
lea ecx, dword ptr [FFFFECABh]
dec eax
mov dword ptr [00073D7Ch], edx
dec eax
add eax, ecx
dec esp
mov dword ptr [00073D92h], ecx
dec esp
mov dword ptr [00073DA3h], ebp
dec esp
mov dword ptr [00073D7Ch], eax
dec esp
mov dword ptr [00073D85h], edi
dec esp
mov dword ptr [00073D86h], esi
dec esp
mov dword ptr [00073D8Fh], esp
dec eax
mov ecx, eax
dec eax
sub ecx, 5Ah
dec eax
mov dword ptr [00073D89h], esi
dec eax
test eax, eax
je 00007FA5C4AD5CEFh
dec eax
mov dword ptr [00073D45h], esp
dec eax
mov dword ptr [00073D36h], ebp
dec eax
mov dword ptr [00073D7Fh], ebx
dec eax
mov dword ptr [00073D70h], edi
dec eax
test eax, eax
je 00007FA5C4AD5CCEh
jmp ecx
dec eax
add edi, ecx
dec eax
mov dword ptr [FFFFEC37h], ecx
dec eax
xor ecx, eax
jmp ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
dec eax
sub esp, 00000080h
mov eax, F957B016h
mov byte ptr [esp+7Fh], 00000037h
mov edx, dword ptr [esp+78h]
inc ecx
mov eax, edx
inc ecx
or eax, 5D262B0Ch
inc esp
mov dword ptr [esp+78h], eax
dec eax
mov dword ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[LNK] VS2012 UPD4 build 61030
[ASM] VS2013 UPD2 build 30501
[ C ] VS2012 UPD2 build 60315
[C++] VS2013 UPD4 build 31101
[RES] VS2012 UPD3 build 60610
[LNK] VS2017 v15.5.4 build 25834
[ C ] VS2017 v15.5.4 build 25834
[ASM] VS2010 build 30319
[EXP] VS2015 UPD1 build 23506
[IMP] VS2008 SP1 build 30729
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD2 build 60315
[C++] VS2015 UPD1 build 23506
[ C ] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1d9010	0x12e	.myzf
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6390	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc1000	0x2324	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40796	0x41000	False	0.776085486779	data	7.73364605679	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0x64fd0	0x65000	False	0.702390160891	data	7.86574512659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa7000	0x178b8	0x18000	False	0.0694580078125	data	3.31515306295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbf000	0x12c	0x1000	False	0.06005859375	PEX Binary Archive	0.581723022719	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x880	0x1000	False	0.139892578125	data	1.23838501563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc1000	0x2324	0x3000	False	0.0498046875	data	4.65321444248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.qkm	0xc4000	0x74a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cvjb	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tlmkv	0xc7000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wucsxe	0xc8000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fltwtj	0x10e000	0x1267	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sfplio	0x110000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rpg	0x111000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bewzc	0x157000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vksvaw	0x159000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wmhg	0x15a000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kswemc	0x15c000	0x36d	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kaxfk	0x15d000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pjf	0x15f000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.retjqj	0x160000	0x7fd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mizn	0x161000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrub	0x162000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.susbqq	0x164000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jeojcw	0x16b000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vwl	0x16c000	0xae7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mub	0x16d000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xwxpmb	0x174000	0x573	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.aea	0x175000	0x7fd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lwpch	0x176000	0x7fd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nzgp	0x177000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qimx	0x178000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jbqbr	0x179000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kxxxil	0x17a000	0xbf6	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.drpaa	0x17b000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lepjc	0x17c000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ywrsat	0x17d000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ialjct	0x17e000	0x103	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ujrqkf	0x17f000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lwaoje	0x181000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pces	0x182000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zuizg	0x183000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.upz	0x18a000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wxuh	0x18b000	0xbf6	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fsdfq	0x18c000	0x5a7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xxlo	0x18d000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hcxtgl	0x18e000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.owbx	0x190000	0xf9	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.phg	0x191000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.trmoj	0x192000	0x1ee	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zaixaf	0x193000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.myzf	0x1d9000	0x13e	0x1000	False	0.046142578125	data	0.645779984281	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc00a0	0x370	data	English	United States
RT_MANIFEST	0xc0410	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	LookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
SETUPAPI.dll	CM_Get_Resource_Conflict_DetailsW
KERNEL32.dll	DeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
GDI32.dll	CreateBitmapIndirect, GetPolyFillMode
CRYPT32.dll	CertGetCTLContextProperty
ADVAPI32.dll	AddAccessDeniedObjectAce
SHLWAPI.dll	ChrCmpIW

Exports

Name	Ordinal	Address
CreateXmlReader	1	0x14003d414
CreateXmlReaderInputWithEncodingCodePage	2	0x14003a750
CreateXmlReaderInputWithEncodingName	3	0x14000d9f8
CreateXmlWriter	4	0x140030868
CreateXmlWriterOutputWithEncodingCodePage	5	0x1400276b8
CreateXmlWriterOutputWithEncodingName	6	0x1400163e4

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserv
InternalName	bitsp
FileVersion	7.5.7600.16385 (win7_rtm.090713-
CompanyName	Microsoft Corporati
ProductName	Microsoft Windows Operating S
ProductVersion	6.1.7600
FileDescription	Background Intellig
OriginalFilename	kbdy
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 00:34:52.177783012 CEST	65307	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:34:52.198076963 CEST	53	65307	8.8.8.8	192.168.2.5
Sep 29, 2021 00:35:06.947459936 CEST	64344	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:35:06.983998060 CEST	53	64344	8.8.8.8	192.168.2.5
Sep 29, 2021 00:35:24.923285961 CEST	62060	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:35:24.943025112 CEST	53	62060	8.8.8.8	192.168.2.5
Sep 29, 2021 00:35:44.611530066 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:35:44.639178038 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 29, 2021 00:35:49.031955957 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:35:49.061124086 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:05.174542904 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:05.212105989 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:10.253612041 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:10.276340961 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:14.106188059 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:14.132950068 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:15.212671041 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:15.246840954 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:39.201730967 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:39.236076117 CEST	53	62176	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:39.700304031 CEST	59596	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:39.720061064 CEST	53	59596	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:40.064248085 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:40.096088886 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:40.476725101 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:40.501283884 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:41.182564974 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:41.206267118 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:41.906605959 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:41.931135893 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:42.442914009 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:42.462734938 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:42.952892065 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:43.010600090 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:43.539592028 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:43.573434114 CEST	53	49992	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:43.637828112 CEST	60075	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:43.655312061 CEST	53	60075	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:43.949307919 CEST	55016	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:43.969032049 CEST	53	55016	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:44.260929108 CEST	64345	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:44.287940025 CEST	53	64345	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:46.449498892 CEST	57128	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:46.485205889 CEST	53	57128	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:48.085802078 CEST	54791	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:48.115533113 CEST	53	54791	8.8.8.8	192.168.2.5
Sep 29, 2021 00:36:59.317008972 CEST	50463	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:36:59.339082003 CEST	53	50463	8.8.8.8	192.168.2.5
Sep 29, 2021 00:37:15.998902082 CEST	50394	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:37:16.019366026 CEST	53	50394	8.8.8.8	192.168.2.5
Sep 29, 2021 00:37:17.942449093 CEST	58530	53	192.168.2.5	8.8.8.8
Sep 29, 2021 00:37:17.962500095 CEST	53	58530	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 576 Parent PID: 1860

General

Start time:	00:34:56
Start date:	29/09/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll'
Imagebase:	0x7ff7a0630000
File size:	1136128 bytes
MD5 hash:	E0CC9D126C39A9D2FA1CAD5027EBBD18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4192 Parent PID: 576

General

Start time:	00:34:57
Start date:	29/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1
Imagebase:	0x7ff7eef80000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4656 Parent PID: 576

General

Start time:	00:34:57
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReader
Imagebase:	0x7ff6ab530000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.342710737.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3240 Parent PID: 4192

General

Start time:	00:34:57
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1
Imagebase:	0x7ff6ab530000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.251743405.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 4656

General

Start time:	00:34:59
Start date:	29/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4920 Parent PID: 576

General

Start time:	00:35:01
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingCodePage
Imagebase:	0x7ff797770000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.257720074.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1320 Parent PID: 576

General

Start time:	00:35:04
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingName
Imagebase:	0x7ff6ab530000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.266384036.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: mstsc.exe PID: 6340 Parent PID: 3472

General

Start time:	00:35:43
Start date:	29/09/2021
Path:	C:\Windows\System32\mstsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mstsc.exe
Imagebase:	0x7ff6a77f0000
File size:	3640832 bytes
MD5 hash:	3FBB5CD8829E9533D0FF5819DB0444C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mstsc.exe PID: 6412 Parent PID: 3472

General

Start time:	00:35:45
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe
Imagebase:	0x7ff660310000
File size:	3640832 bytes
MD5 hash:	3FBB5CD8829E9533D0FF5819DB0444C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000016.00000002.374374689.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: rundll32.exe PID: 6476 Parent PID: 792

General

Start time:	00:35:55
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff6ab530000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: tcmsetup.exe PID: 6516 Parent PID: 3472

General

Start time:	00:35:57
Start date:	29/09/2021
Path:	C:\Windows\System32\tcmsetup.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\tcmsetup.exe
Imagebase:	0x7ff65de30000
File size:	16384 bytes
MD5 hash:	0DDA495155D552D024593C4B3246C8FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: tcmsetup.exe PID: 6564 Parent PID: 3472

General

Start time:	00:35:58
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\YTBx\tcmsetup.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\YTBx\tcmsetup.exe
Imagebase:	0x7ff6193b0000
File size:	16384 bytes
MD5 hash:	0DDA495155D552D024593C4B3246C8FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001A.00000002.394057525.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: explorer.exe PID: 6880 Parent PID: 564

General

Start time:	00:36:05
Start date:	29/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll64.exe PID: 576 Parent PID: 1860 loaddll64.exeCOMMON

Executed Functions

Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON

Download Yara Rule

Strings

}*, xrefs: 0000000140049BDD
}*, xrefs: 0000000140049620

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
Instruction ID: dfe71950bb4b00d773a2c1e4d7d9ca62016f185058a51a46645e99606ce0912a
Opcode Fuzzy Hash: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
Instruction Fuzzy Hash: CDF2E476601B8481EB269F17D5503EE77A1F78EBC8F9A4025EB0A077B5DB38C945C348

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

FreeConsole.KERNELBASE ref: 000000014003704B
EntryPoint.2JLIMKLNXH ref: 00000001400370EE

Strings

d, xrefs: 0000000140037032
)8GV, xrefs: 0000000140037008

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleEntryFreePoint
String ID: )8GV$d
API String ID: 3550414006-3589632123
Opcode ID: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction ID: d510f836e5bc92855b025e221ee4853bd72dbb3d22a76ed0b2795177c136f2ac
Opcode Fuzzy Hash: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction Fuzzy Hash: 2C91983230064096EB26EB66D0513EE23A5AB9C7D4F914526BB1E47BFBEE34CA05C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 000000014005D101

Strings

sy;, xrefs: 000000014005C9ED
sy;, xrefs: 000000014005C420

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoSystem
String ID: sy;$sy;
API String ID: 31276548-3660992706
Opcode ID: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction ID: 6e6b9d6b41ba510f9365bd6ae70f9dc3139515c8db1fe8c3f4a6c85962f57752
Opcode Fuzzy Hash: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction Fuzzy Hash: 2A82DB72215B848AEB26CF27D4507E977E1F789BC4F498426EB4A077B6DB39C941C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON

Download Yara Rule

Strings

}*, xrefs: 000000014004BDB0
}*, xrefs: 000000014004C37C

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction ID: 589d9863290c94d963c78ae1aba4b537ce1e649f887b860e334c2c2edf70769e
Opcode Fuzzy Hash: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction Fuzzy Hash: B872E172211B8081EBA68F23D4547ED77A1F78DBC4F8A5125EB4A477B6EB38C944C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 000000014005D2ED

Strings

., xrefs: 000000014005D36A

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindFirst
String ID: .
API String ID: 1974802433-248832578
Opcode ID: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction ID: 4bac0f1caae8588fed560e2f4dd75fe3b4005a9d196e6938d52e54566134f4c2
Opcode Fuzzy Hash: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction Fuzzy Hash: C841A43260564085FB76DB26E1003AD73A1A748BF8F184713EF69177E9DB7AC982C742

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140026CC0, Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

)8GV, xrefs: 000000014002703B
)8GV, xrefs: 0000000140027120

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV
API String ID: 0-993736920
Opcode ID: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
Instruction ID: e7db99c2ed76c24e9271fdfca30502f9120cd4f12b6678b2f47d4e41cadbe873
Opcode Fuzzy Hash: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
Instruction Fuzzy Hash: 3BF18F7272064095EB52EB72D8913EE6365FB993C8F900426BB0E47AFADF34CA45C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006A4B0, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000000014006A550

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 014ba3f31a54ab5bd7c94f0c661e1d483c83fc367b3a803fd5cc701f36f44b24
Instruction ID: ba306794fc56961ae9be9e8108b60f4a03202e28571258f9feaa1cffdeadac3d
Opcode Fuzzy Hash: 014ba3f31a54ab5bd7c94f0c661e1d483c83fc367b3a803fd5cc701f36f44b24
Instruction Fuzzy Hash: 25B16E36601B409AE712EF26D9403EE33A6F7497C8F645825EB4E47BA6DF38D524CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 0000000140048CDE

Part of subcall function 000000014005D1F0: FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindLoadNext
String ID:
API String ID: 50669962-0
Opcode ID: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction ID: 5bbbb247b64301f03cc62f5655f26b2922a91791dd430743fbd3ba68f8766a4f
Opcode Fuzzy Hash: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction Fuzzy Hash: 07819D3261568092FB22EB26E4513EE6365FBD83D4F814521FB4A57AEBEF38C605C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035270, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

ExitProcess.KERNEL32 ref: 00000001400354E1

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseExitProcess
String ID:
API String ID: 3487036407-0
Opcode ID: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
Instruction ID: 3d479053040576d7404e3dfab4813d6254088c9544e20b556efee73ce8d776a8
Opcode Fuzzy Hash: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
Instruction Fuzzy Hash: 5771BF32710A5096FB16EB72D4513EE2365AB883D9F844522BF5E53AFADF35C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046C90, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction ID: acc9ee73913d888b71121e4cedfe861758cf19cabea33dd7822bbf7d3cf7603a
Opcode Fuzzy Hash: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction Fuzzy Hash: 42E08CA1741A0041EF265276D0803A812809B4D7B4E194B209A7D0B3E0EA3888898716

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction ID: bccbce3911ab829ef3288d496869760cb1404da12fac801df191153d1e38d36e
Opcode Fuzzy Hash: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction Fuzzy Hash: 9172CD72601B9485FB26CF17D4503E967A1FB8EFC4F998426EB0A077A5EB39C945C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction ID: 84a8ec628d281786b49b5e6f6f6dec0d0376b1c45e732984354cafa0c8984479
Opcode Fuzzy Hash: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction Fuzzy Hash: D761947121164102FE76B72399047EE5292AFAD3E4F650B21BF6E47BF9EE38C9018740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140034870, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
Instruction ID: 713527809b35fed6260ebd230ad48717dd4fa7a304d79e310e96a8de0daf9cee
Opcode Fuzzy Hash: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
Instruction Fuzzy Hash: 5A717D32B04B4095FB12EBB2E4913DF67A5FBC8388F954025BB4957AAADF38D445CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061459
RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00000001400614B4
RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061539
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 0000000140061664

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction ID: 4377045c35190c944746a6ea10b9b47c13ce871b5e3b3a15cce40fdff127085f
Opcode Fuzzy Hash: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction Fuzzy Hash: 5BC1A43120568082FE629B16E8503EEA791E7C97E0F6C4A21FB6E47BE5DE78C941C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000026F9FEE2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000026F9FEE23B0
VirtualProtect.KERNELBASE ref: 0000026F9FEE2471
RtlAvlRemoveNode.NTDLL ref: 0000026F9FEE25B4
VirtualProtect.KERNELBASE ref: 0000026F9FEE2677

Memory Dump Source

Source File: 00000001.00000002.272319507.0000026F9FEE0000.00000040.00000001.sdmp, Offset: 0000026F9FEE0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 99868a5e89e0a559fb64fa2ac64bb3e853e24031774f1036ddcc95587239802b
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: A1B1537661ABC486DB70CF1AF44079EB7A1F7C9B80F118026EE8957B58DB7AC8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000000014005FA4B

Strings

4aX, xrefs: 000000014005FA09

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertString
String ID: 4aX
API String ID: 3907675253-4042356595
Opcode ID: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction ID: 5c7b4eddd96f597e19123db416744eb931adcf52cf9da5c093af566d74744993
Opcode Fuzzy Hash: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction Fuzzy Hash: EC216D72214B4582EA12EF66E1403DEB3A0FB8C7C4F844525EB8D07B6AEF39D625C745

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DAE0, Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction ID: c5574eec75406f68cf122a08b4571db932f63f1e1c7d3e43579234279b4bb767
Opcode Fuzzy Hash: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction Fuzzy Hash: A151D03130464182FA72EA63A4507EA77A2BB8CBD4F154527BF5A077E2EF7AC801C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DD30, Relevance: 3.1, APIs: 2, Instructions: 122fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 000000014005DDD8
ReadFile.KERNELBASE ref: 000000014005DE49

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction ID: 869152f87e2051f324d9e8f0f01270def7d2743b76a8e6c9a5e95a296a3a7e26
Opcode Fuzzy Hash: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction Fuzzy Hash: A541583161464087EA62DB3AA4447AAB3A1FBD87E0F144712BB6D4B7F5DF39C802DB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction ID: 944ab0cbe82d54181631abf043b2a82f72de4fdca767e43f24bb2c72b9c0c91f
Opcode Fuzzy Hash: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction Fuzzy Hash: 8D21B431214A4581EA72DB66A0407EA3795F78CBE4F184617EFAE077E5DF7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction ID: bee1728ae0ee1a0caa625709e376bb4aadd3217f15d1bcce0d190476addee932
Opcode Fuzzy Hash: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction Fuzzy Hash: BE21D332311A4581EA72DA66A0407EA3795B78CBE4F184527AF9D077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction ID: a00dbcca095f64b26cda9c271166364bdf2e86a9b80154192fb139b54d898421
Opcode Fuzzy Hash: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction Fuzzy Hash: 5521E532315A4581EA72DB62A0407EE3791F78CBE4F184517AFAD077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060D85
RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060DE8

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction ID: 09cc4365fb23fa9fe14c599ab373ea3e5ec1bde103bfdbf39ccb6e9a9538c2db
Opcode Fuzzy Hash: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction Fuzzy Hash: F521A37671569046EF52CB56E8003AFA391EB897F4F184621BF9C07BE8EA38D582C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction ID: 68fcab11a3bde380270331896f94efb0ab36e54eb9d04e7f46ecdc112822b6b1
Opcode Fuzzy Hash: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction Fuzzy Hash: 6821C132315A4541EA72DB62A0407EA3795F78CBE4F184627EFAD077E5DE7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046F60, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32 ref: 0000000140046FDE

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
Instruction ID: 560481d37deeb2f3cc02cd101c0a384bc9ca8e36dca6fa428839860d024f360c
Opcode Fuzzy Hash: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
Instruction Fuzzy Hash: EDA15D3271064099EB12EFB6C4913EE2365A7987C8F915126BF0D67AFAEF34C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNELBASE ref: 000000014005FEFE

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction ID: 2cd33cf12082532a652157af79f02d7873b375395221c82c38bac87e111ef697
Opcode Fuzzy Hash: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction Fuzzy Hash: 6E51B2326117408AEB66EB22A0013EE6291EB9DBC4F580535FF4E477E6DF39C802D790

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D1F0, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction ID: fe48dd106ee2d63de4642147a978de6f9e341aec22c75ad1205c2678dbe1ece1
Opcode Fuzzy Hash: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction Fuzzy Hash: 80115B7561034082FF76DA6691047E933E1EB697C8F051013EF59472E9EB36C8D2C751

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32 ref: 0000000140060C16

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction ID: 650aff04d41c3b1619de3e88208a4500c6b85af191ab70c767efd2679610bbe3
Opcode Fuzzy Hash: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction Fuzzy Hash: 1C112E72204B8486D7219F12E84039EB7A5F788B90FA89529EB8D43B58DF39D991CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046690, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlCreateHeap.NTDLL ref: 00000001400466DD

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction ID: 54976bf3431427af6da968cf6b263ec8d4a99ac7c2bea2f2fd5649cd882baac1
Opcode Fuzzy Hash: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction Fuzzy Hash: B901D635706A8082EB528712FA4039A73A0F78C3C4F198524EF884B7A5EF38C8518B44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046730, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 000000014004678C

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction ID: 7e2fcedd46cf55f04110c2a11ced308778be976df41b62f125aabd7639a18320
Opcode Fuzzy Hash: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction Fuzzy Hash: 70F0F878A4730141FE6A63B354543A511821FCC7C4F0E8834AF095B7A6EE38CD518699

Uniqueness

Uniqueness Score: -1.00%

Function 0000026F9FEE2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000026F9FEE29A8), ref: 0000026F9FEE20A7

Memory Dump Source

Source File: 00000001.00000002.272319507.0000026F9FEE0000.00000040.00000001.sdmp, Offset: 0000026F9FEE0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: e22fe623094396046db19ee1287e7af1d51e5136edd7d056c7545f012119e2b2
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: B5315E72615B8086D790DF1AF45475A7BA0F389BC4F214026EF4D87B28DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000014002B6E0, Relevance: 8.2, Strings: 6, Instructions: 741COMMON

Download Yara Rule

Strings

0020, xrefs: 000000014002B98B
3050, xrefs: 000000014002BB42
4040, xrefs: 000000014002BB6A
3050, xrefs: 000000014002B992
GNOP, xrefs: 000000014002B9CB
0020, xrefs: 000000014002BB49

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0020$0020$3050$3050$4040$GNOP
API String ID: 0-829999343
Opcode ID: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction ID: 282167bc52f218920562f67345f8403ae15435ff558287d674a5e0b6e797f698
Opcode Fuzzy Hash: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction Fuzzy Hash: 4172507261068195EB22EF26D8913EE6365FB983C8F804016FB4E475FAEF34CA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140071DC0, Relevance: 5.7, Strings: 4, Instructions: 682COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000000014007211B
ERCP, xrefs: 0000000140071EED
VUUU, xrefs: 0000000140072194
VUUU, xrefs: 000000014007213B

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU
API String ID: 0-2165971703
Opcode ID: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction ID: a95f611128f1d5d13a9bca75b656ea52fec65ffdb08565925219bb8e60db198b
Opcode Fuzzy Hash: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction Fuzzy Hash: 2252BE727046848AEB6A8F6AD5503ED7BA1F3087D8F144116FF569BAE8D73CC981C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400667D0, Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

SW, xrefs: 0000000140066CA6
SW, xrefs: 0000000140066A69
SW, xrefs: 0000000140066C49
SW, xrefs: 0000000140066A1A

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: SW$SW$SW$SW
API String ID: 0-1120820918
Opcode ID: 4269d42bb04da8d2d584da9acdb52bde17cfea0105d642131f8bc10ec3972926
Instruction ID: 5271b3b9b35d550c8de01999338ba1aa790ab169e66fccb1d44a6718ff6f2241
Opcode Fuzzy Hash: 4269d42bb04da8d2d584da9acdb52bde17cfea0105d642131f8bc10ec3972926
Instruction Fuzzy Hash: 4C026D3170160146EB62EB73D8603EE2396AB9C3C8F554925BB4D87BEAEF35DA01C310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031DF0, Relevance: 5.3, Strings: 4, Instructions: 270COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140032008
GC,, xrefs: 00000001400321D7
GC,, xrefs: 000000014003216C
GC,, xrefs: 0000000140031FC2

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,$GC,$GC,
API String ID: 0-2774350030
Opcode ID: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction ID: dd0ba4053c6bdb050c0e262549aa376da4335980b2dde8bb0cc8774c9fa84b1c
Opcode Fuzzy Hash: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction Fuzzy Hash: 39B14A3232168096EA16EB22D4513EFA765FBDC7C4F854425FB4E57ABAEE38C605C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140057950, Relevance: 4.5, Strings: 2, Instructions: 1977COMMON

Download Yara Rule

Strings

}*, xrefs: 00000001400579C0
}*, xrefs: 0000000140057F89

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
Instruction ID: 7c281f25cbc51a2c663274e483e0a5d4adc9f9b548fde4e06667abda5a9e2262
Opcode Fuzzy Hash: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
Instruction Fuzzy Hash: 6E03CB72201B8482EB26CF23D4543ED67A1F78DBC4F994416EF4A177A6EB3AC945C380

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400263C0, Relevance: 4.3, Strings: 3, Instructions: 519COMMON

Download Yara Rule

Strings

)8GV, xrefs: 00000001400267B0
)8GV, xrefs: 0000000140026A4D
@, xrefs: 0000000140026B3F

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV$@
API String ID: 0-2802744955
Opcode ID: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
Instruction ID: d4403fa2ef2757ed15b0d897a8d3d48ae9d82dee7601a7ae60b507309942f45e
Opcode Fuzzy Hash: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
Instruction Fuzzy Hash: 8F326E72610A8095FB22EB72D8513EE6365FB997C8F940026BB4E476FADF34CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400067B0, Relevance: 4.2, Strings: 3, Instructions: 406COMMON

Download Yara Rule

Strings

*/*, xrefs: 0000000140006D02
GET, xrefs: 000000014000688D, 000000014000689B
POST, xrefs: 0000000140006CF6

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: */*$GET$POST
API String ID: 0-3233530491
Opcode ID: 32d11deb30a1a87af2e00d0bceae541fc6016cb2569d4fb9eca702019c111a5c
Instruction ID: 6cf15a5ed41f927c804a0d4041fd2741414eb33ceb6b5d93e391305a3a4948eb
Opcode Fuzzy Hash: 32d11deb30a1a87af2e00d0bceae541fc6016cb2569d4fb9eca702019c111a5c
Instruction Fuzzy Hash: 57125C72610A8196EB11EF72E8913DE6765F7883D8F904122FB4E57AAADF34C249C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035520, Relevance: 3.9, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140035622
GC,, xrefs: 0000000140035665
{QN, xrefs: 00000001400355E1

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,${QN
API String ID: 0-3150587038
Opcode ID: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction ID: 9244b60d004d0bd22f383007071d62e4da67c70af0efad37e4d475a9577969ab
Opcode Fuzzy Hash: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction Fuzzy Hash: D851B3726017408AEB26AF72A0517DF3392EB98398F559529FB4E0BBE9DF39C401C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140025DB0, Relevance: 2.9, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

0, xrefs: 0000000140025FF4
GC,, xrefs: 0000000140025E65

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0$GC,
API String ID: 0-3557465234
Opcode ID: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
Instruction ID: 8e8f5bced65d739128878f1be46f709eb140c798bd495bd8ba2efbba04664ca7
Opcode Fuzzy Hash: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
Instruction Fuzzy Hash: 90F1C132705B8086EB56DB26A5503EE77A5F788BC8F544029FF8A47BA9DF38C845C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FB20, Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

cLpS, xrefs: 000000014002FB76
cLpS, xrefs: 000000014002FB46

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS$cLpS
API String ID: 0-581437482
Opcode ID: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
Instruction ID: d6b56411a1e340b191dd7f08d0c8a8920ca136b0ade9766ce73097337fe28e3c
Opcode Fuzzy Hash: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
Instruction Fuzzy Hash: F5916E32700A41A6FB12EB72D5513ED2366AB983D8F900126BF1D97AFADF34D919D340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140039140, Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

D, xrefs: 0000000140039B2B

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction ID: a2166a60d7ca2b4a0d1872d5e3506bb785f107662951e93f9f6f62b20c08bf0e
Opcode Fuzzy Hash: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction Fuzzy Hash: 32827E3222468186EB13EB26D4907EF6365FBD8794F904612FB5A47AFADF38C605C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C5C0, Relevance: 2.1, Strings: 1, Instructions: 865COMMON

Download Yara Rule

Strings

GET, xrefs: 000000014000C5D5

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GET
API String ID: 0-1805413626
Opcode ID: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
Instruction ID: e67aa13565bd515be4758c424d677281e7e48e69fdea67d752e56d6b70eb8f16
Opcode Fuzzy Hash: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
Instruction Fuzzy Hash: 7182CFB262568082FB52EB26E491BEE6761F7C97C8F851022FB4A576E7CF38C505C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015120, Relevance: 2.1, APIs: 1, Instructions: 555COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 000000014001530B

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnvironmentExpandStrings
String ID:
API String ID: 1839112984-0
Opcode ID: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
Instruction ID: c0dbe0ee55e83fb6c0f3bef3624a57e5635b4c6ed11a4d6c977be8f15ec7e338
Opcode Fuzzy Hash: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
Instruction Fuzzy Hash: CB427E32710A4096FB12EB72D4913EE6765EB983D8F814422BB4D4BAFAEF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019D20, Relevance: 2.0, APIs: 1, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687ffdf343c2e9789a5d1ebb489b5c539987e33f75712a11b993f063ce15b1a2
Instruction ID: abc698a25be580435ac5d46bd6b01b3c7dd535f90f9c32282677b8a643a0cbd6
Opcode Fuzzy Hash: 687ffdf343c2e9789a5d1ebb489b5c539987e33f75712a11b993f063ce15b1a2
Instruction Fuzzy Hash: 3C427D3271068095FB22EB76D8513EE2361EB993C8F904121BB0E5BAFAEF79C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019580, Relevance: 2.0, APIs: 1, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127911a31568296dbbdbd0e7203d4322e69c18d1e401fad8c93ef71fb1fa4fd2
Instruction ID: 0bcce83d19b55e388762cc41cc2fbdfa61478623d1bee2f25155124e52c32027
Opcode Fuzzy Hash: 127911a31568296dbbdbd0e7203d4322e69c18d1e401fad8c93ef71fb1fa4fd2
Instruction Fuzzy Hash: 8A128E3271468095FB22EB72D8913EE2355EB997C4F804026BB4E5BAFADF35C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006EB0, Relevance: 1.9, Strings: 1, Instructions: 651COMMON

Download Yara Rule

Strings

cLpS, xrefs: 00000001400072A3

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS
API String ID: 0-2886372077
Opcode ID: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction ID: 96b4c198141fe6e7034ab14ad9d5ea3cda72442e6a1109ae0a48173783152c86
Opcode Fuzzy Hash: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction Fuzzy Hash: CF528D7272464092FA12EB62E8517EE63A5FB9C7C4F814022BB4E57BBADF38C505C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400139D0, Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

m, xrefs: 000000014001422E

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID: m
API String ID: 1964310414-3775001192
Opcode ID: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
Instruction ID: 0a9d90af75a6ede7406656d6adb6787827cf479cbe6b14872f7c626c13ea0b6d
Opcode Fuzzy Hash: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
Instruction Fuzzy Hash: 6A529B32710A80A6F74EEB32C5913EE7369F788384F904026AB2947AE6DF34D576C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D100, Relevance: 1.7, Strings: 1, Instructions: 497COMMON

Download Yara Rule

Strings

s( j, xrefs: 000000014001D128

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: s( j
API String ID: 0-1450404818
Opcode ID: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction ID: 6f5b3d0b06e06ce3defbe5b62ba999e8dce43b7996f1ec96da6707378b1ebcba
Opcode Fuzzy Hash: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction Fuzzy Hash: 14325632715B9085EB16EF66D8513ED73A5FB88B88F454026EB4E5BBAADF38C505C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140029780, Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

kw9b, xrefs: 000000014002989A

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumValue
String ID: kw9b
API String ID: 858281747-837114885
Opcode ID: e8ba736cc1ae897b53590531b1c8201d906e4f93dc6415c10813659a3bbeb7cc
Instruction ID: a79da12e532d7eb86b4034213f2927d281404f76e1d3d8be4d202bd2a10f559e
Opcode Fuzzy Hash: e8ba736cc1ae897b53590531b1c8201d906e4f93dc6415c10813659a3bbeb7cc
Instruction Fuzzy Hash: D622A03270064056FB22EB62E4513EE6361EB8C7D8F814625BB4E57AFADF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033BB0, Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

U, xrefs: 000000014003408F

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 1612c2b18446cb3e650eba47dd8b229cab4fb8fae804e2c9001081e94953d27d
Instruction ID: 04dcf981b535b3d5a04f4e0f983876b723d65533687fb2a3abc72c4897885b35
Opcode Fuzzy Hash: 1612c2b18446cb3e650eba47dd8b229cab4fb8fae804e2c9001081e94953d27d
Instruction Fuzzy Hash: 7A22A032714A8095FB22EB76D4913EE2761EB993D4F900122BB4E5BAFADF38C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023530, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

Content-Type, xrefs: 000000014002385F

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Content-Type
API String ID: 0-2058190213
Opcode ID: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
Instruction ID: 8ed0294b40edec3e111ebf6e63eddced9ff886ac8d86313f53d4d34ac86a637b
Opcode Fuzzy Hash: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
Instruction Fuzzy Hash: D0128B7271064096EB26EB72D0953EE63A5EB9D7C8F804029FB4E576B6DF34C909C341

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400389A0, Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 0000000140038A46

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID: 0
API String ID: 3535843008-4108050209
Opcode ID: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
Instruction ID: 021d52728ad99ff4b45c00a2ee63d530dbb35c35c3e7b67721d4418a9cae59c0
Opcode Fuzzy Hash: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
Instruction Fuzzy Hash: A4D1483271064185EB22EB66D8503EF6365FB987C8F944421FF4E57AAAEF34CA05C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400205A0, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

, xrefs: 000000014002069B

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
Instruction ID: 091f4e73938a5afec608f70625f4eed5baac112ec883e15b973b01c59944fd94
Opcode Fuzzy Hash: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
Instruction Fuzzy Hash: 8FB1903271164156FB26EB72C0513EE2365A78C7C8F554429BF0E67BEAEE34D906C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EED0, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

, xrefs: 000000014002F04E

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction ID: 79bcb73a3e0a748e54816e3c2b9a8955141e4b7d1d3c260807ef7fd3e9233e09
Opcode Fuzzy Hash: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction Fuzzy Hash: 4681AF3171528042FA66AB63A5513EE6382BBDC7C0F954839BF0E57BEADE38C9019750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023140, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

tI*k, xrefs: 0000000140023300

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: tI*k
API String ID: 0-257501792
Opcode ID: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction ID: 2b3e36108f388e75195695150bf3b7502d87346db4925aa772ee75e92517338c
Opcode Fuzzy Hash: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction Fuzzy Hash: C891B332710A41C6FB12EB73D4913ED2365AB987C8F815026BF0E67AABDE34C605C391

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140078570, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00000001400785BF

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP
API String ID: 0-1384759551
Opcode ID: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction ID: 36d71a898891e4cfc692b0c24b63e4f8a605753b41eb4ec31f3d0d909baacb04
Opcode Fuzzy Hash: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction Fuzzy Hash: 8541C2677244554AE3189F2598213BE2391F7E8781B008838BBC7C3B99E97CCE41C754

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004F940, Relevance: .9, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
Instruction ID: fc2f62d5942ef41123ea32f2955be4f6aadf7052ab01c2248917173129c7cd0f
Opcode Fuzzy Hash: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
Instruction Fuzzy Hash: 8A82BD72301B8486EB269F23D4503EE67A5F78DFC4F964022EB4A577A6DB38C945C384

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140053F20, Relevance: .8, Instructions: 808COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction ID: b1defcb4bfd3908c290bb80924a7f4486985742b072abc47c5e9bd5be53152ef
Opcode Fuzzy Hash: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction Fuzzy Hash: FF72CE32601BA482EB26CF17E4503ED77A5FB99BC8F9A4016EB49477B6DB36C941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction ID: 8249503d4e55669e8e7119aec1729776b7b2f3ca46fae70a891a003f6664f3d4
Opcode Fuzzy Hash: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction Fuzzy Hash: 3472DF32201B9486EB26DB17E4603ED77A5FB9DBC5F894012EB4A477B6DB3AC941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 570444da3395dbff037c1797def2714c1b19642f17c99ed10635228c9c88b714
Instruction ID: 4fdb0601fab6f7a848b28641239d596080eab1ec2c6ff824b21f12e2ef69b5a1
Opcode Fuzzy Hash: 570444da3395dbff037c1797def2714c1b19642f17c99ed10635228c9c88b714
Instruction Fuzzy Hash: 48722D32724A4095EB02EB76D4913EE6765EB983C4FC05012BB4E879BBEF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction ID: d53d10191d1a85c044aba7f3ec212ac92ce5176a248edb2932ce54add84afe44
Opcode Fuzzy Hash: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction Fuzzy Hash: 9D52BE72601B8081EB269F23D4543EE77A1F78CBC4F8A5426EB4A577B6DB38D845C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction ID: 9c06e88039ccf999e040ad7794a2e2d02b6699145a9792014979c24fd1337f6c
Opcode Fuzzy Hash: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction Fuzzy Hash: B4623CB76206548BD7668F26C080B6C37B1F35DFA8F25521ADF0A43799CB39D891CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003B220, Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction ID: acd1ff4a64a9c803ec812a22a8ce79600e1464d52fdb42fb628072365476121f
Opcode Fuzzy Hash: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction Fuzzy Hash: 64429E31301A8141FA23EB6698513EF6391EB8C7E8F544616BF5A5BBEAEE38C505C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140024440, Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction ID: 78f3400fd7e206f6a511ea736ed45412fb3e7259efd4ed926287f6c9bd4c6aa7
Opcode Fuzzy Hash: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction Fuzzy Hash: E6427C32204A8096EB66EB32D0513EE67A4E79D3C8F914026F79A876F7DF38C945C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018630, Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
Instruction ID: 8108868c1ca7c4f1afbe8bd34af9d7f1e96dfbbf12b1edd0cffad3fdf1fa0b6f
Opcode Fuzzy Hash: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
Instruction Fuzzy Hash: 3F429E3231068095FB22EB72D8913EE6765EB983D8F844122BB0D97AFADF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction ID: 183f2e46b23aa86a2c091461a645f9a581571388db0d92becfc597eb429af356
Opcode Fuzzy Hash: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction Fuzzy Hash: 0732AB3271064089EB16EB36D4513EE27A5EB8CBD8F555126FF0E877BADE38C4868340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfece18ddf6bca480a9aef1e07074b0a3e55dc7f17be70bd55bceb11844ecf8
Instruction ID: 71edd40f2b1ab928f6f3b4ddf8d26af45cb7d1258c95c78617a62a1a74f3288a
Opcode Fuzzy Hash: fdfece18ddf6bca480a9aef1e07074b0a3e55dc7f17be70bd55bceb11844ecf8
Instruction Fuzzy Hash: BF32AC3261068195EB12EB26D4913EE2765FB983C8F814122FB4E57AFBEF38C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B120, Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction ID: 3ba19fba285517c5acd5c21b3c9b7592edaf423ca2de06bba8230fcf7af2400b
Opcode Fuzzy Hash: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction Fuzzy Hash: 3C429B72624A8095FB12EB62D4957EE2365FB983C8F814022FB0D57ABBDF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction ID: eb795f204498a8d956ef0de19ff8bd43d97085c04d8ed5933d3115b51340510f
Opcode Fuzzy Hash: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction Fuzzy Hash: 7022793270064186EA23EB2AD4957EF63A5EB88BD4F554626FF0A477F6EE34C506C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003A2E0, Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction ID: 697e8bd1027fccc09012cb901671f32632dfdae7722e2c733c5167ca59ce0a7a
Opcode Fuzzy Hash: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction Fuzzy Hash: AE227C3271064186EA23EB26D4513EF63A1FB89BD4F544625EB4A577F6EF38C50AC340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B390, Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction ID: 5c003effdee5129b35cf12aebe167f862a01b0c8d0d2f43ab9f1123e32a30f31
Opcode Fuzzy Hash: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction Fuzzy Hash: 8C0203B21082A489F7768B26C9413FA7BE2E759788F254906FB8A435F5D738C9C1D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction ID: c2c66f55aa66479377f68c186b881699d763759fa92e2ffabb716b860ed1a50b
Opcode Fuzzy Hash: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction Fuzzy Hash: CD224D72710A8091EB12EB72D4913EE6765FB987C8F904116FB4E876BAEF38C245C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction ID: 217fabc6e38e1d640ccd999207fddb20e056db183073941d35cbdb4b11e649c3
Opcode Fuzzy Hash: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction Fuzzy Hash: 10229B72620A8091EB12EB62E4957EE2365F79D7C4F814022FB4E576BBDF38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction ID: 3448a1cfdf5732c1482eebf940cb1862e5db89764351cf67f11e8459266109f6
Opcode Fuzzy Hash: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction Fuzzy Hash: CD026C727006418AEB12DF26D4907EE73A6F788BC4F614525EB0E977AADF34D90AC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction ID: a963730c34943060851cd64ea719675db259de8104656558a9074d2de6a51302
Opcode Fuzzy Hash: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction Fuzzy Hash: 41128F7222468096FB52EB22D4917EE6765FBD93C8F811022FB4E57AABDF38C505C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069010, Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: 95963d20b21cf3e2b12cfe18c6fe82eaabeff9446a80277d54ce9a7fffb05132
Instruction ID: 5afa6d75f76fbbc9d7f53df6043056336d1db5d7591574d5123318d553f9c856
Opcode Fuzzy Hash: 95963d20b21cf3e2b12cfe18c6fe82eaabeff9446a80277d54ce9a7fffb05132
Instruction Fuzzy Hash: 19124E3272469096EB12EF72D8913DE6765FB987C8F815022BB0D57AABDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E170, Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
Instruction ID: ac8bef764291a5126b18a53dad73757551fec454a5992e6944e07fe4b855ac86
Opcode Fuzzy Hash: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
Instruction Fuzzy Hash: 2A023B32724A80A2FB52EB72D4913EE6764FB983C4F815022BB4D57AEADF35C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FEC0, Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction ID: b67327a95b15ec145a913cc43aeca3e3a8a77925bd43874970612b3ea802a6ff
Opcode Fuzzy Hash: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction Fuzzy Hash: A802707272064095EB02EB66D4913EE6765FB987C8F905022FB4D83ABBEF34C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002980, Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
Instruction ID: 5d574d698b33f004de0812fa71b34c36bbdae31478704d480fb686f148b39898
Opcode Fuzzy Hash: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
Instruction Fuzzy Hash: EB024C72324A8096FB12EB62D4913EE6765EB983D4FC15022BB4E57AEBDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018F80, Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8c2c1811faa848f940e4a298acd31fbb5db82ef74365df61737aab6befccc0
Instruction ID: d38a929efe70148cd0bcafb05e8c0916e90d43f0c382b2c9e415ecaf47ade149
Opcode Fuzzy Hash: ae8c2c1811faa848f940e4a298acd31fbb5db82ef74365df61737aab6befccc0
Instruction Fuzzy Hash: C8F16D32610A8095FB12EB76D8513EE6365EB983D8F940521BB0E57AFBEF35C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010880, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction ID: f0fb79f68922493fed5bc905321703954c20a875d362dace52344ff7232635a8
Opcode Fuzzy Hash: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction Fuzzy Hash: D7029272320AA19AEB42DF36C8917EE2724F748789F805016FF4B57AAAEF35C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D910, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
Instruction ID: 9c3e8f75c9e591130820bb2956cb3806339feb13e112d9af22726fcddd3bd126
Opcode Fuzzy Hash: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
Instruction Fuzzy Hash: 12026C32314A8095FB52EB72D4917EE2765EB983C4F805022BB4E97AEBDF35C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033540, Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76dd430cce1ce6768c64dce55b4180b759221ef9574e8c45ed07b1ebd879cb4c
Instruction ID: d0d419901b6e3c3183ee3913f1137c5e588d0fadc92f77f7791849e6aeb29d3b
Opcode Fuzzy Hash: 76dd430cce1ce6768c64dce55b4180b759221ef9574e8c45ed07b1ebd879cb4c
Instruction Fuzzy Hash: 8A029132614A8095EB22EF32D4913EE6765FB98388F904412FB4E57AFADF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb9de39e3049ab5455ed32541b517d82ebf0524dcb0a324d3a012e30b74715a
Instruction ID: fccd9241a873054b7c24d42fb58abb6f012b2f7f19fe3a4c061a127f88627f2a
Opcode Fuzzy Hash: adb9de39e3049ab5455ed32541b517d82ebf0524dcb0a324d3a012e30b74715a
Instruction Fuzzy Hash: 41E18E3271068095FB12EB76D8917EE6765EB983C8F804021BB0D5BAEBEF35C645C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
Instruction ID: 02ee9b89192d395c78975687d30e6fb06be8b995001c736011e159ca0d17724c
Opcode Fuzzy Hash: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
Instruction Fuzzy Hash: E2E13D32714A4095EB02EB66D4913EE6765FB983D8F900012FB4D97AFAEF34CA49C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
Instruction ID: 95da75048f27146dafc5de9d612871b80806eb61125b8034b1f63b71f4cba504
Opcode Fuzzy Hash: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
Instruction Fuzzy Hash: 47F12C3262498096EB12EB62D8513ED6365FBD8388F814522BB4E479FBEF74CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
Instruction ID: cf5fdc312f2229dc6ff813412d90ddbabd12b8e4de7574aebc9877f7d05b411a
Opcode Fuzzy Hash: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
Instruction Fuzzy Hash: 28D19032711A4195EB12EB76D4903EE23A1EB993C4F844425BF4E57BEAEF38C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064080, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction ID: bf23390ce128f79092fde7b2b9043ef6653a4f1b38eae35900255c6e9c132ad5
Opcode Fuzzy Hash: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction Fuzzy Hash: ABC1D4231282D04BD7569B3764503FAAE91E79A3C8F280655FFC997AEBD63CC2149B10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
Instruction ID: d0d512be425b72175eef7d799d9923e381f6a995b1e0446f0295c878f1c0c086
Opcode Fuzzy Hash: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
Instruction Fuzzy Hash: CED13972724A4091EB02EB76D4913EE6765F7983C8F904016BB4D97ABAEF38C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140030530, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction ID: 96955b53f7f5b4430e01eb0035ad3df088e7672fa3a311151148bede835f9000
Opcode Fuzzy Hash: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction Fuzzy Hash: E7C16136B0564089FB22EB76D0613EF27A1AB9C388F554425BF4E976FADE34C506C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A110, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
Instruction ID: 08807915bc927436db1a901aa043915a979950c5e23cf508b5f0d65b77d78aa9
Opcode Fuzzy Hash: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
Instruction Fuzzy Hash: 0CD17032614A8096EB02EB26D4513EE6364FBD97C4F815122FB4D57AEBDF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F490, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction ID: f96005f1b71c62cd91ec633b0fa556b6f093996ab6e40a041e3cbd638a23d0d9
Opcode Fuzzy Hash: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction Fuzzy Hash: C1C1BD3270164096FB12EF76D4413ED23A4EB883A8F484622BF2D57AE6EF38D955D350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction ID: 38de139323f3e079e5738bdd278af51575638bb101dd3218b17e6965c0953cb4
Opcode Fuzzy Hash: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction Fuzzy Hash: 1DB16A3671062094FB46EBA2D8A17DE2365BB89BC8F825025FF0D67BA7DE38C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031540, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
Instruction ID: bfe4e87f351d28bd3d3693bc96d2151355ab9388d993d4a46e39ffd0a3f78ad6
Opcode Fuzzy Hash: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
Instruction Fuzzy Hash: E6C16332704A809AFB22EBB2D4513EE2365AB9C3D8F854521BF1E676EADF30C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction ID: f23c3879964f3f83b961310f1bad7f7be1ef7afa2b68ec7d59790f469601a501
Opcode Fuzzy Hash: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction Fuzzy Hash: A9A10231211E8145EBA79A2798543EF27A6AB8C3D4F645825FF0E5B6E9EF34C901C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction ID: c0d98bc7e162404dc537a7c1af49e5fbe25e03b535df8b2493956c53732576b9
Opcode Fuzzy Hash: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction Fuzzy Hash: B2A114F31182A486FB778A2685413FA7FE2E719789F254402FB8A435F6C63CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066020, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction ID: d17e179c4ad3c1814a715198efb3da372d22ab0628f3c9d9f6a3a053a6971865
Opcode Fuzzy Hash: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction Fuzzy Hash: 79A1903271164045EB22EB7298507EE67E6AB9C3C8F550925BF4D47BEAEF34CA068310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction ID: 7cb660c1bafc6db3c15f0a4866a94b05aa7759728bb06ab0739d07cd917ce7e2
Opcode Fuzzy Hash: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction Fuzzy Hash: 33B18C7262464191EB12EB62E4913EE6365FB9C7C4F801022FB4E47ABBDF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction ID: ff1b56ecf022c2229069a5389c0477a62f006b84fd5f9f69eebb894724ab9066
Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction Fuzzy Hash: 44A125F21182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B424, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction ID: f965aa676d2cc64f6a485257af634002c7fef1377d4791c8bed9b1b7e56d6411
Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction Fuzzy Hash: 79A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction ID: 86c182e730ead1fa639f737d8458d4edb1cdee6041daaa12aedc2aef895c7c0c
Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction Fuzzy Hash: 83A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B436, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction ID: 7a8579acbe1e06e5dcc528155c10978c06d1d02f61772b3afab02cdca005db6d
Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction Fuzzy Hash: 3EA115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B446, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction ID: 9b5f4d2890da7bc9148b0c777fb781a5a0913674a9f0c1f21bc34f13756e8484
Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction Fuzzy Hash: 37A114F31182A489FB778A2685413FA7FE2E719789F254402FB8A475F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
Instruction ID: 9e8436de532ad8a8b9d83a7ce7f67d33a1e65f1b543d517c902b78be038a8119
Opcode Fuzzy Hash: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
Instruction Fuzzy Hash: 6FA19F3271464095EB22EB72D4913EE63A5A78C7C8F914426FF0D57AFAEE38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001010, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction ID: 891caef274385c1d9a1a05b5f8e139ad0eea2bdcde326525a3acf11d5ee056db
Opcode Fuzzy Hash: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction Fuzzy Hash: 79918D7270164095EB16EF66E4507EE23A5ABDC7C4F448425BF4E97BA6EE34C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe13e77ec2a6c39a7eeb857abf77be5bd43dd3bfff72b646a5cfb36ea006c22
Instruction ID: 09ec91f3f7d35e473cfa3e72b303784d96220d522314983c3d838af10b8059fe
Opcode Fuzzy Hash: dbe13e77ec2a6c39a7eeb857abf77be5bd43dd3bfff72b646a5cfb36ea006c22
Instruction Fuzzy Hash: C4A16E32314A8095FB22EB72D8513EE2365EB987D4F940426BB4D57AFADF34CA05C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018300, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction ID: 9282ef7f3f2e177ec3162a27807bc3d77d508fe5c2bed51c5ff564ba7b898efa
Opcode Fuzzy Hash: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction Fuzzy Hash: 99912232B15A4099FB12EBB2D4913ED23659B9C7C8F814525BF0DA76EBEE34C609C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
Instruction ID: a01e236db0e61280ae7bc249da652572acbbc64743681568c883ee8cb5c556df
Opcode Fuzzy Hash: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
Instruction Fuzzy Hash: D7916C3272468092FB12EB62D4957DE6365FB9C7C4F811022BB4D43AABDF78C544CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003EFB0, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction ID: 2085d5fbde7ab3b46fd7c59f247d5158c6ccb74e37f4a5dfc0e2ff2c0c09d730
Opcode Fuzzy Hash: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction Fuzzy Hash: 87814F36204A85C6EB679B2BE9403AF6B61F38DBD0F594512EF9A477B5CE38C442D310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400276C0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction ID: bfac23c94d9038130fb0cc9f6c7292f6f1aa2b418e68c536fc9a693e481bc66c
Opcode Fuzzy Hash: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction Fuzzy Hash: 1E91B13270164096FB22EB22D4517EE23A0EB9C3C8F855426BB4E57AFADF34C944C351

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction ID: 348a5c641c523964159132b8cb670365254cd557f13034448bd6fc243d7f1d42
Opcode Fuzzy Hash: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction Fuzzy Hash: AB81503271064095FB12EB76D8913EE63A5AB9D7C8F944621BF0D4BAEAEF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016100, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
Instruction ID: 4362bffb4ce140633d60009826b42a117c21897de7dbf4a94b418fc321f1d931
Opcode Fuzzy Hash: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
Instruction Fuzzy Hash: 35812032714A809AFB12EB72D4513ED2365EB9C388F814425BB4E67AEBEF35C605C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032650, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
Instruction ID: a8b049447ef23dc7a2f3147d56ae0c312f8ac6a7955db6ed7517384e00930876
Opcode Fuzzy Hash: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
Instruction Fuzzy Hash: 0371893270264096FB66AB7294503EE6391EB9C7C8F054526BB1D47BEAEF39C905C360

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction ID: 4c1290556f20f3e20b66d81894b0d385f6ea8bc2319cc982c81cb2944955426d
Opcode Fuzzy Hash: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction Fuzzy Hash: 6E61B031301A4041EA66E737A9517EF97929F9D7D0FA44621BF5E877FAEE38C9028700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D850, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction ID: 50d9e92313d7fbe24902196c924c1612cff9653e99501bbf2772a847790ebefc
Opcode Fuzzy Hash: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction Fuzzy Hash: 7D618D3271464496FB22EB72C0913EE23A5ABDC7C8F854422BF4D57AEAEE35C501C791

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001620, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction ID: f8f81a1e6eeb4aa67bd22a5a7a70358e1ddf5b3241a247c9d5674b6b5ab46101
Opcode Fuzzy Hash: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction Fuzzy Hash: 9061C43262465091FB21EB26E0517EE6360FBCD7C4F815122BB5D47AEAEF79C541CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
Instruction ID: f33abad4c1c8ba015261be05896130ca5dc3e7c07ce7e813c180037223ea8262
Opcode Fuzzy Hash: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
Instruction Fuzzy Hash: 08718E32714A809AEB12EF76D4913EE7761F798388F844026FB4D47AAADF74C548CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
Instruction ID: 125c4d10a522e701d1fb6d0f1aef761f583aa31ccbb75f1db25899523a723602
Opcode Fuzzy Hash: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
Instruction Fuzzy Hash: 0151633271468052FB22EBB6E4513EE6761EBD83C4F951122BB4D47AEADE38C544CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022730, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction ID: af2d80f9b144edbe9aa630ca6e788b257520dbedf888a3db325da96401233726
Opcode Fuzzy Hash: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction Fuzzy Hash: FA612832600B8085E755DF36A481BDD33A9F78DB88FA84138EF990B36ADF318055D768

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031340, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction ID: 50cb9f747c07e87171e39f534f7bbd71060f83f950b2ada1a46c15cbddfc577a
Opcode Fuzzy Hash: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction Fuzzy Hash: A0511B32700A4096FB12EB76D4917EE2365AB9C7C8F954421BF0DA7AEADF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002F840, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction ID: 9602d307e9de31d357e639a9611a18ab9b6f2b9e1d5f0c6a8a00986c6f50d329
Opcode Fuzzy Hash: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction Fuzzy Hash: 7F51AD32200A40A2EA22EB22D9957FE63A5F7DC7D0F854626FB0D836B6DF34C556D710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
Instruction ID: aca98edda921e0e11dbb2b437e66833b6d9475281c93859f86ded24665675a69
Opcode Fuzzy Hash: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
Instruction Fuzzy Hash: E5516E3271465095FB52EB76E4913EE6761EBD8388F850026BB4E479EADF38C948CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060FE0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction ID: 51a026cb75a50cc44213724d5bb8c382370875f63e51d6fdf42d7c4c4c07ed92
Opcode Fuzzy Hash: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction Fuzzy Hash: 5D415F32B1066095FB12E77798517EE23A2ABCD7C4FA94421BF0E57AEBDE34C5018354

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction ID: fec891e6c53086f7b9094a78f95b73510c7007b912bc3ef8a41aa8e11e9acb14
Opcode Fuzzy Hash: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction Fuzzy Hash: 01413D31B2066095FB12EB7798513EE13A6ABDC7C4F994421BF0E97AEADE38C5058314

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction ID: 4d6ce7f696a26fe9a74b6bb9734e6d6bbac3d85ccec2ef1c97bdec5ab73240ea
Opcode Fuzzy Hash: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction Fuzzy Hash: FC51D732610B9085E785DF36E4813DD33A9F748F88F58413AAB8D4B7AADF348152C764

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400286B0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction ID: a9185cf0004c76bb3001b2cb896eaa84c5f9aff40342764b4326ba4d96cea24c
Opcode Fuzzy Hash: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction Fuzzy Hash: 9F514632310B81A2E74EDB32E5813D9B369FB8C384F908415EB9813AA6DF35D676D704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022340, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction ID: 1e1e8128ca37617077ad8d3bddb138d765a5f71e348f586f351b06e9a9582713
Opcode Fuzzy Hash: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction Fuzzy Hash: 5C51C773611B9085E745DF36E8813DD37A8F748F88F58413AEB894B6AADF308156C760

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction ID: 5f416d68214368cc8d497caad67b5ad9eebcd67f96a0df70edf52f54e079c757
Opcode Fuzzy Hash: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction Fuzzy Hash: DE31F53221099842FBA6471B9C613F93292E79C3E4F649625FB8E537F4D67DC8038B80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005370, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction ID: 604a730c127844f2816d2636316060c5dd02da03d6f4240a24423d76594c64fe
Opcode Fuzzy Hash: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction Fuzzy Hash: 55313F32610B9091E749DB36D9813DD73A9F78CB84FA58526A39847AA6DF35C177C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007EA0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.272018953.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272141607.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.272161230.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.272167847.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction ID: 1d8fa33d8030516f9812c7435f1c2f5fee2e6c5a40d503ba1f82db291cb841dc
Opcode Fuzzy Hash: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction Fuzzy Hash: 7131DC32600B4080E745DF3699813EDB3E9FBACB88FA9853697484A9B6DF35C157D310

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4656 Parent PID: 576 rundll32.exeCOMMON

Executed Functions

Function 000001CACC8F2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001CACC8F23B0
VirtualProtect.KERNELBASE ref: 000001CACC8F2471
RtlAvlRemoveNode.NTDLL ref: 000001CACC8F25B4
VirtualProtect.KERNELBASE ref: 000001CACC8F2677

Memory Dump Source

Source File: 00000004.00000002.343440572.000001CACC8F0000.00000040.00000001.sdmp, Offset: 000001CACC8F0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: fca687a66ee1b69e645222c1c357ca22e475ce9b91f5b6fbab23cf5778c0fdb7
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: C1B15876618BC486E770CB1AE440BDEB7A1F7C9B84F508126DE8957B58CB79C8528F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001CACC8F2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001CACC8F29A8), ref: 000001CACC8F20A7

Memory Dump Source

Source File: 00000004.00000002.343440572.000001CACC8F0000.00000040.00000001.sdmp, Offset: 000001CACC8F0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 0ee180c814a92601ecba54ad936b921f169e05e7303812f485ee792703e9ab53
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 85315C72715B8486D780DF1AE49479A7BA0F789BC8F604026EF8D87B18DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3240 Parent PID: 4192 rundll32.exeCOMMON

Executed Functions

Function 0000026C34C72252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000026C34C723B0
VirtualProtect.KERNELBASE ref: 0000026C34C72471
RtlAvlRemoveNode.NTDLL ref: 0000026C34C725B4
VirtualProtect.KERNELBASE ref: 0000026C34C72677

Memory Dump Source

Source File: 00000005.00000002.251956584.0000026C34C70000.00000040.00000001.sdmp, Offset: 0000026C34C70000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 85c4a10553406279f00c5b78346846bf9ffe8afd7ae593731678691aa8ece844
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 64B14576618BC48AD770CB1AF44079EBBA1F7C9B80F108126EEC957B58DB7AC8558F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000026C34C72057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000026C34C729A8), ref: 0000026C34C720A7

Memory Dump Source

Source File: 00000005.00000002.251956584.0000026C34C70000.00000040.00000001.sdmp, Offset: 0000026C34C70000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 1e929e9171ac8ba163b83838bbb45d9b156a11ec1b595e2ba65ea746a962e89d
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 19312976615B9086D790DF1AF49575A7BA0F389BD4F209026EF8D87B28DF3AC446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 4920 Parent PID: 576 rundll32.exeCOMMON

Executed Functions

Function 0000023E35532252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 0000023E355323B0
VirtualProtect.KERNEL32 ref: 0000023E35532471
RtlAvlRemoveNode.NTDLL ref: 0000023E355325B4
VirtualProtect.KERNEL32 ref: 0000023E35532677

Memory Dump Source

Source File: 00000008.00000002.259418410.0000023E35530000.00000040.00000001.sdmp, Offset: 0000023E35530000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 89875af4b9342631afb50d6a95c51add1703d833c8c42902af871b99d2c5f0a7
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 4CB14376618BC486DB70CB1AE4407AEB7A1F7C9B80F118026EE8D57B98DB7DC9458F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E35532057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,0000023E355329A8), ref: 0000023E355320A7

Memory Dump Source

Source File: 00000008.00000002.259418410.0000023E35530000.00000040.00000001.sdmp, Offset: 0000023E35530000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: d697101b7398edd8341785a4f4b6abb116d357a11133cedf39ae818bc990f114
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 9E315A72615B9086DB80DF1AE45475A7BA0F789BC4F218026EF8D87B68DF3AC446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1320 Parent PID: 576 rundll32.exeCOMMON

Executed Functions

Function 000001F8F6AE2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001F8F6AE23B0
VirtualProtect.KERNELBASE ref: 000001F8F6AE2471
RtlAvlRemoveNode.NTDLL ref: 000001F8F6AE25B4
VirtualProtect.KERNELBASE ref: 000001F8F6AE2677

Memory Dump Source

Source File: 0000000A.00000002.266686061.000001F8F6AE0000.00000040.00000001.sdmp, Offset: 000001F8F6AE0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 2bd975b373ca8dc47213174d95a4065c270f519686b10c4a5f4f65c9c5a31272
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 06B153B6618BC58AD730CB1AE4407EEB7A1F7D9B84F108126EE8957B58CB7DC8518F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001F8F6AE2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001F8F6AE29A8), ref: 000001F8F6AE20A7

Memory Dump Source

Source File: 0000000A.00000002.266686061.000001F8F6AE0000.00000040.00000001.sdmp, Offset: 000001F8F6AE0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 838963f79a6141de757e29f35ab76aba8937e967b23188eb62d6e1f0b20e5734
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: C8312DB2615B9086D790DF1AE45579A7BA0F389BD8F205126EF4D87B18DF39C446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: mstsc.exe PID: 6412 Parent PID: 3472 mstsc.exeCOMMON

Executed Functions

Function 0000020583BB2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000020583BB23B0
VirtualProtect.KERNELBASE ref: 0000020583BB2471
RtlAvlRemoveNode.NTDLL ref: 0000020583BB25B4
VirtualProtect.KERNELBASE ref: 0000020583BB2677

Memory Dump Source

Source File: 00000016.00000002.375125608.0000020583BB0000.00000040.00000001.sdmp, Offset: 0000020583BB0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 6bf12a25e280da22c7f1e3b86d9c53c40bdb63ab2224453e9d5c7779257784dc
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 8EB157B6618BD486E730CB5AE48079EB7A0F7C9B80F508026DEC957B59CF79C8818F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000020583BB2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000020583BB29A8), ref: 0000020583BB20A7

Memory Dump Source

Source File: 00000016.00000002.375125608.0000020583BB0000.00000040.00000001.sdmp, Offset: 0000020583BB0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: de4a811529ba06da3ba46d38e6984782c0af53a86b8b97f7be19b1e8fd2c23a3
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 6C313EB2615B9086D790DF1AE49475A7BA0F389BD4F209026EF8D87B18DF39C486CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF660358E00, Relevance: 47.7, APIs: 13, Strings: 14, Instructions: 419comCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF660358E67
memset.MSVCRT ref: 00007FF660358E78
memset.MSVCRT ref: 00007FF660358E89
memset.MSVCRT ref: 00007FF660358E9D
memset.MSVCRT ref: 00007FF660358EAF
PathStripPathW.SHLWAPI ref: 00007FF660358F33
PathFindExtensionW.SHLWAPI ref: 00007FF660358F3E
PathRemoveFileSpecW.SHLWAPI ref: 00007FF660358FA6

Part of subcall function 00007FF6603597B0: _vsnwprintf.MSVCRT ref: 00007FF6603597F3

Part of subcall function 00007FF660358448: LocalAlloc.KERNEL32 ref: 00007FF660358493

CharLowerW.USER32 ref: 00007FF6603590D8
CharLowerW.USER32 ref: 00007FF6603590E1
CoCreateInstance.OLE32 ref: 00007FF660359105
CharLowerW.USER32 ref: 00007FF660358F47

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

LocalFree.KERNEL32 ref: 00007FF6603594FB

Strings

QueryInterface(IID_IPropertyStore) failed!, xrefs: 00007FF660359401
StringCbCopy failed!, xrefs: 00007FF660358F02
SetValue failed!, xrefs: 00007FF66035947F
"%s", xrefs: 00007FF6603591BA
SetIconLocation failed!, xrefs: 00007FF6603592D6
SetDescription failed!, xrefs: 00007FF66035939A
%s (%s), xrefs: 00007FF660358FC2
CoCreateInstance(IID_IShellLink) failed!, xrefs: 00007FF660359149
Commit failed!, xrefs: 00007FF6603594CC
SetPath failed!, xrefs: 00007FF6603591AB
StringCbPrintf failed!, xrefs: 00007FF660359013, 00007FF66035920E
SetShowCmd failed!, xrefs: 00007FF660359337
SetArguments failed!, xrefs: 00007FF660359271
GetClientPath failed!, xrefs: 00007FF6603590C9

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Path$CharLower$FreeLocal$AddressAllocCreateExtensionFileFindHandleInstanceLibraryModuleProcRemoveSpecStrip_vsnwprintf
String ID: "%s"$%s (%s)$CoCreateInstance(IID_IShellLink) failed!$Commit failed!$GetClientPath failed!$QueryInterface(IID_IPropertyStore) failed!$SetArguments failed!$SetDescription failed!$SetIconLocation failed!$SetPath failed!$SetShowCmd failed!$SetValue failed!$StringCbCopy failed!$StringCbPrintf failed!
API String ID: 1101623152-3884380683
Opcode ID: 3b486454db1c8dda85bb59be7f087c3c315eebc6d273166c5c8fb74ad59bd5e0
Instruction ID: 5d3ad6c74ff7c65bf2bef5959128ed4e2aa6779c158044cce9de62b093994347
Opcode Fuzzy Hash: 3b486454db1c8dda85bb59be7f087c3c315eebc6d273166c5c8fb74ad59bd5e0
Instruction Fuzzy Hash: F22258A9A1CA47F5EB668F16D88437927B1FF84789F500032D90DDB7B1EE2CE9068700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660328DF0, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 180windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32 ref: 00007FF660328E2F
MulDiv.KERNEL32 ref: 00007FF660328E47
MulDiv.KERNEL32 ref: 00007FF660328E5F
MulDiv.KERNEL32 ref: 00007FF660328E7A
ImageList_Destroy.COMCTL32 ref: 00007FF660328E99
ImageList_LoadImageW.COMCTL32 ref: 00007FF660328EC2
SendMessageW.USER32 ref: 00007FF660328EE8
SendMessageW.USER32 ref: 00007FF660328F03
SendMessageW.USER32 ref: 00007FF660328F19
LoadIconW.USER32 ref: 00007FF660328F91
ImageList_GetImageCount.COMCTL32 ref: 00007FF660328FA1
ImageList_Create.COMCTL32 ref: 00007FF660328FBF
LoadImageW.USER32 ref: 00007FF660328FF4
ImageList_ReplaceIcon.COMCTL32 ref: 00007FF66032900B
DestroyIcon.USER32 ref: 00007FF660329014
ImageList_ReplaceIcon.COMCTL32 ref: 00007FF660329025
ImageList_Destroy.COMCTL32 ref: 00007FF660329046
SendMessageW.USER32 ref: 00007FF660329065

Part of subcall function 00007FF6603270D0: SetTimer.USER32 ref: 00007FF6603271EE

MulDiv.KERNEL32 ref: 00007FF66032908B
SetWindowPos.USER32 ref: 00007FF6603290B4

Strings

, xrefs: 00007FF660328FAA
P , xrefs: 00007FF660328FE0

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$IconMessageSend$DestroyLoad$Replace$CountCreateTimerWindow
String ID: $P
API String ID: 2927750888-1072161666
Opcode ID: ee6b62bfc86ae326361ea5e796a7beb62640337ed107eb644fadcc8e7c2283c7
Instruction ID: ff5bf7c7e37f0fa86ff2daea864411954df08c6d0c295cc07f93152b5db79c8e
Opcode Fuzzy Hash: ee6b62bfc86ae326361ea5e796a7beb62640337ed107eb644fadcc8e7c2283c7
Instruction Fuzzy Hash: 8481AC32705642E7EB688F22E65466973B1FB88B90F049135DF5E8BB50CF39E461CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66031F5A4, Relevance: 34.1, APIs: 6, Strings: 13, Instructions: 887windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 00007FF66031F773
IsIconic.USER32 ref: 00007FF66031F88A
GetClientRect.USER32 ref: 00007FF66031F941
VariantClear.OLEAUT32 ref: 00007FF66031FC36
DefWindowProcW.USER32 ref: 00007FF66032016A
GetLastError.KERNEL32 ref: 00007FF66031F976

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660313464: TraceMessage.ADVAPI32 ref: 00007FF66031348D

Strings

SyncRemoteClipboardToLocalSession failed., xrefs: 00007FF660320338
QueryInterface(IID_IMsRdpClientNonScriptable7) failed!, xrefs: 00007FF660320247, 00007FF660320393
put_FullScreen(VARIANT_TRUE) failed!, xrefs: 00007FF66031FED1
ShowSessionDiagnostics, xrefs: 00007FF66031FBCD
mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6, xrefs: 00007FF66031FD97
put_FullScreen failed!, xrefs: 00007FF66031F6C0, 00007FF66031F8F9
QueryInterface failed for IMsRdpExtendedSettings, xrefs: 00007FF66031FB7E
put_Property(UTREG_UI_SHOWSESSIONDIAGNOSTICS) failed!, xrefs: 00007FF66031FC0D
ShowGatewayInformation, xrefs: 00007FF66031FFBA
SyncLocalClipboardToRemoteSession failed., xrefs: 00007FF660320470
put_Property(UTREG_UI_SHOWGATEWAYINFORMATION) failed!, xrefs: 00007FF66032000A
get_Clipboard failed!, xrefs: 00007FF6603202BF, 00007FF66032040B
SyncSessionDisplaySettings failed!, xrefs: 00007FF66031F749

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Proc$Window$AddressClearClientErrorFreeHandleIconicLastLibraryMessageModuleRectTraceVariant
String ID: QueryInterface failed for IMsRdpExtendedSettings$QueryInterface(IID_IMsRdpClientNonScriptable7) failed!$ShowGatewayInformation$ShowSessionDiagnostics$SyncLocalClipboardToRemoteSession failed.$SyncRemoteClipboardToLocalSession failed.$SyncSessionDisplaySettings failed!$get_Clipboard failed!$mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6$put_FullScreen failed!$put_FullScreen(VARIANT_TRUE) failed!$put_Property(UTREG_UI_SHOWGATEWAYINFORMATION) failed!$put_Property(UTREG_UI_SHOWSESSIONDIAGNOSTICS) failed!
API String ID: 2462753969-1519939121
Opcode ID: e26c52a7ba858114533c0ac0eff862648fbe91d21300b794545ed4ef046c9bc1
Instruction ID: fe2eb546b5f6241f7d2b6f4c9c9bb1196b3f41a830f68cbab5fc10b05db4f97b
Opcode Fuzzy Hash: e26c52a7ba858114533c0ac0eff862648fbe91d21300b794545ed4ef046c9bc1
Instruction Fuzzy Hash: E9927E21A1CA47E5EA609F26D45027937B1FF88B89F144072DA4EEB7A5DF3CE446C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6603A1690, Relevance: 31.8, APIs: 10, Strings: 8, Instructions: 336COMMON

Download Yara Rule

APIs

CredDeleteW.ADVAPI32 ref: 00007FF6603A18FA
GetLastError.KERNEL32 ref: 00007FF6603A1904

Part of subcall function 00007FF6603A23BC: LocalFree.KERNEL32(?,?,?,00000000,00000000,00007FF6603A21BC), ref: 00007FF6603A25A2

CredDeleteW.ADVAPI32 ref: 00007FF6603A1A24
GetLastError.KERNEL32 ref: 00007FF6603A1A2E

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

LocalFree.KERNEL32 ref: 00007FF6603A1AD7
CredFree.ADVAPI32 ref: 00007FF6603A1AE7

Part of subcall function 00007FF6603A1690: CredDeleteW.ADVAPI32 ref: 00007FF6603A1B02
Part of subcall function 00007FF6603A1690: GetLastError.KERNEL32 ref: 00007FF6603A1B0C

Part of subcall function 00007FF6603A1690: GetLastError.KERNEL32 ref: 00007FF6603A1B70

Strings

CredDelete(Server) failed, xrefs: 00007FF6603A1B64
CredRead(Server) failed, xrefs: 00007FF6603A1BD2
DeleteSavedCreds(CRED_TYPE_DOMAIN_PASSWORD) failed, xrefs: 00007FF6603A17BD
CredDelete(SPN) failed, xrefs: 00007FF6603A1A87
DeleteSavedCreds(CRED_TYPE_GENERIC) failed, xrefs: 00007FF6603A1726
CreateSPN failed, xrefs: 00007FF6603A1A0E
CredDelete(Server,CRED_TYPE_DOMAIN_EXTENDED) failed, xrefs: 00007FF6603A196D
GetTargetForExtednedCredential failed, xrefs: 00007FF6603A18C2

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: CredErrorFreeLast$Delete$Local$AddressHandleLibraryModuleProc
String ID: CreateSPN failed$CredDelete(SPN) failed$CredDelete(Server) failed$CredDelete(Server,CRED_TYPE_DOMAIN_EXTENDED) failed$CredRead(Server) failed$DeleteSavedCreds(CRED_TYPE_DOMAIN_PASSWORD) failed$DeleteSavedCreds(CRED_TYPE_GENERIC) failed$GetTargetForExtednedCredential failed
API String ID: 2517384270-379508815
Opcode ID: 7d9520b98677c989ee0b296d398b151488d90064faabbcbeb00f616356b34591
Instruction ID: 548fabf8e3a948f455fd48bfe609e64b5389168e81b3d25be0598b8dceb13ee0
Opcode Fuzzy Hash: 7d9520b98677c989ee0b296d398b151488d90064faabbcbeb00f616356b34591
Instruction Fuzzy Hash: B6E1B031B1DA43E6FF619B66D48837922F1AF8478AF644035C90DEE7E1EE6CE8458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6603239A0, Relevance: 27.0, APIs: 10, Strings: 5, Instructions: 784windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 00007FF660323AE2
LoadCursorW.USER32 ref: 00007FF660323BAF
SetCursor.USER32 ref: 00007FF660323BB8
DefWindowProcW.USER32 ref: 00007FF660323BF0
GetClientRect.USER32 ref: 00007FF660323CAF
IsIconic.USER32 ref: 00007FF6603240DB
memset.MSVCRT ref: 00007FF66032441A
GetTitleBarInfo.USER32 ref: 00007FF660324429
GetCursorPos.USER32 ref: 00007FF660324433

Part of subcall function 00007FF660323874: memset.MSVCRT ref: 00007FF6603238A8
Part of subcall function 00007FF660323874: SendInput.USER32 ref: 00007FF660323967

Part of subcall function 00007FF6603224CC: IsZoomed.USER32 ref: 00007FF6603224F8
Part of subcall function 00007FF6603224CC: memset.MSVCRT ref: 00007FF660322637
Part of subcall function 00007FF6603224CC: GetWindowPlacement.USER32 ref: 00007FF660322649
Part of subcall function 00007FF6603224CC: SetWindowPlacement.USER32 ref: 00007FF660322669

SendMessageW.USER32 ref: 00007FF660324504

Strings

SyncSessionDisplaySettings failed, xrefs: 00007FF660324330
get_RemoteMonitorCount failed!, xrefs: 00007FF6603241A4
mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6, xrefs: 00007FF660323C54
FALSE, xrefs: 00007FF6603241EA
TRUE, xrefs: 00007FF6603241E0

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorWindowmemset$PlacementSend$ClientFocusIconicInfoInputLoadMessageProcRectTitleZoomed
String ID: FALSE$SyncSessionDisplaySettings failed$TRUE$get_RemoteMonitorCount failed!$mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6
API String ID: 3459159575-4245442228
Opcode ID: 726d6a45eea21a1dfe24567ee0f805af3161c2755c47af2fa3cbff110f19afad
Instruction ID: bff90d0d79143ea10000d710a70ee916a777eec4cf27c12bd303a3090245b553
Opcode Fuzzy Hash: 726d6a45eea21a1dfe24567ee0f805af3161c2755c47af2fa3cbff110f19afad
Instruction Fuzzy Hash: F6726126A08A47E6FB64DF6AD44427827B1FF84B85F144536DA0EEF7A1CE3CE4458780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6603235EC, Relevance: 22.6, APIs: 15, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF660319B0C: MultiByteToWideChar.KERNEL32 ref: 00007FF660319B74

CreateRectRgn.GDI32 ref: 00007FF66032364D
CreateRectRgn.GDI32 ref: 00007FF660323661
CreateRectRgn.GDI32 ref: 00007FF660323674
EqualRect.USER32 ref: 00007FF660323685
OffsetRect.USER32 ref: 00007FF6603236B0
SetRectRgn.GDI32 ref: 00007FF660323703
CombineRgn.GDI32 ref: 00007FF660323719
EqualRgn.GDI32 ref: 00007FF660323725
OffsetRect.USER32 ref: 00007FF660323771
IntersectRect.USER32 ref: 00007FF660323782
CopyRect.USER32 ref: 00007FF66032378F
OffsetRect.USER32 ref: 00007FF6603237A4
DeleteObject.GDI32 ref: 00007FF6603237AD
DeleteObject.GDI32 ref: 00007FF6603237B6
DeleteObject.GDI32 ref: 00007FF6603237C0

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$CreateDeleteObjectOffset$Equal$ByteCharCombineCopyIntersectMultiWide
String ID:
API String ID: 95573418-0
Opcode ID: b26c54845fba2beff1f71a4a1e422a58200e4743b98d71e04f2245f5ea6860ae
Instruction ID: a8a098dc84b9f246a904485b025fcfdf7bd226bc71a1b6571c685172b64914dc
Opcode Fuzzy Hash: b26c54845fba2beff1f71a4a1e422a58200e4743b98d71e04f2245f5ea6860ae
Instruction Fuzzy Hash: 6E516D32B14653E6EB14CB76E8489AD33B1FB48B85F508035DE0AABB54DE3CE805CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66039C560, Relevance: 16.7, APIs: 11, Instructions: 175windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF66039C5A3
IsWindow.USER32 ref: 00007FF66039C5B5
IsIconic.USER32 ref: 00007FF66039C5C6
GetSystemMetrics.USER32 ref: 00007FF66039C5D6
GetSystemMetrics.USER32 ref: 00007FF66039C5E6
GetWindowRect.USER32 ref: 00007FF66039C5F8
PtInRect.USER32 ref: 00007FF66039C609
PtInRect.USER32 ref: 00007FF66039C61B
SystemParametersInfoW.USER32 ref: 00007FF66039C67C
CopyRect.USER32 ref: 00007FF66039C6E2
SetWindowPos.USER32 ref: 00007FF66039C7C9

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$System$Metrics$CopyIconicInfoParameters
String ID:
API String ID: 3517074850-0
Opcode ID: 5f0bc226f1aecc8d8844f41ec5a1d609f32b69176810b5b6982512846d8fd78a
Instruction ID: 819bc64d1c54e35b59eed02e1c486c6496ad37eb96e43b8bcbd9d399b94d465c
Opcode Fuzzy Hash: 5f0bc226f1aecc8d8844f41ec5a1d609f32b69176810b5b6982512846d8fd78a
Instruction Fuzzy Hash: 1B811932B28603EAFB50CFA9D8446AC27B1EB44749F544435DA0DEB795EF38E8558B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66032CE08, Relevance: 12.1, APIs: 8, Instructions: 94windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF66032CE43
SendMessageW.USER32 ref: 00007FF66032CE61
wcsncmp.MSVCRT ref: 00007FF66032CE87
SendMessageW.USER32 ref: 00007FF66032CEB4
SendMessageW.USER32 ref: 00007FF66032CF22
SendMessageW.USER32 ref: 00007FF66032CF3B
SendMessageW.USER32 ref: 00007FF66032CF52
SendMessageW.USER32 ref: 00007FF66032CF66

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$wcsncmp
String ID:
API String ID: 2995519212-0
Opcode ID: 1308fa11f25032c0681da3dded433d8aba294aa83d02f2554db0e54de43a8575
Instruction ID: d2808ac40fffa90de13d99774191d0139be94c4cdd17e1791933af602b086ea4
Opcode Fuzzy Hash: 1308fa11f25032c0681da3dded433d8aba294aa83d02f2554db0e54de43a8575
Instruction Fuzzy Hash: 0941D031B28643F2FB608F21E814B792261EF85BA4F545231DD2D9BBD4CE3CE4458B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66041D15C, Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 476timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FF66041D251
SystemTimeToFileTime.KERNEL32 ref: 00007FF66041D25F
EventActivityIdControl.ADVAPI32 ref: 00007FF66041D314

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660313464: TraceMessage.ADVAPI32 ref: 00007FF66031348D

Strings

GetProviderInstanceHelper failed, xrefs: 00007FF66041D7F9

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$ActivityAddressControlEventFileFreeHandleLibraryMessageModuleProcTrace
String ID: GetProviderInstanceHelper failed
API String ID: 970297616-2899791145
Opcode ID: 135842ab1c25acd707eb01478ccf4b28c5f5a8d33a98c69779b2ba946d0e58be
Instruction ID: d468765de3c0ba87b32776af8e00f70135d43fea48e07965d57af3baf2161ae9
Opcode Fuzzy Hash: 135842ab1c25acd707eb01478ccf4b28c5f5a8d33a98c69779b2ba946d0e58be
Instruction Fuzzy Hash: 5A329D72A08B56E9EB248F69D8442BC37B1FB48B88F504176DE4D9B7A4DF38E461C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66042F5EC, Relevance: 4.6, APIs: 3, Instructions: 75COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF66042F620
GetVersionExW.KERNEL32 ref: 00007FF66042F632
GetVersionExW.KERNEL32 ref: 00007FF66042F649

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Version$memset
String ID:
API String ID: 3607446104-0
Opcode ID: 04f4032da83b7a8fb150d272f344c711e858e5b75a80437af916ef443957533c
Instruction ID: 23bd80027c14f93d20009ccc65982957248e0f7b675095bee341870911d3b3e7
Opcode Fuzzy Hash: 04f4032da83b7a8fb150d272f344c711e858e5b75a80437af916ef443957533c
Instruction Fuzzy Hash: 41313C35B5E142E6FB788B25E56077932B0EF98704F944139D64ECABA4EF2DE9418B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66033D944, Relevance: 33.6, APIs: 8, Strings: 11, Instructions: 386COMMON

Download Yara Rule

Strings

spConfigCollection->AddConfig failed, xrefs: 00007FF66033DE29
StringCchLength failed, xrefs: 00007FF66033DB09
StringCchCopy failed, xrefs: 00007FF66033DBE0
spConfigCollection->put_RedirectByDefault failed, xrefs: 00007FF66033DD31
TCHAR[], xrefs: 00007FF66033DB75
;, xrefs: 00007FF66033D95E
QI for IMsRdpClientNonScriptable7 failed!, xrefs: 00007FF66033D9E3
spConfigCollection->put_EncodeVideo failed, xrefs: 00007FF66033DCED
spConfigCollection->put_EncodingQuality failed, xrefs: 00007FF66033DF0F
spRdpNonScript->get_CameraRedirConfigCollection failed, xrefs: 00007FF66033DA65
BSTR, xrefs: 00007FF66033DE82

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ;$BSTR$QI for IMsRdpClientNonScriptable7 failed!$StringCchCopy failed$StringCchLength failed$TCHAR[]$spConfigCollection->AddConfig failed$spConfigCollection->put_EncodeVideo failed$spConfigCollection->put_EncodingQuality failed$spConfigCollection->put_RedirectByDefault failed$spRdpNonScript->get_CameraRedirConfigCollection failed
API String ID: 0-733702008
Opcode ID: dc8686e18fac17a8589ff620b77f3bfd71bca40468cdeac30a292f54d1e40ac6
Instruction ID: d9b79f3d2318eabbd55ecc69c35d299dc4c19c67ca7ad058227b3b819606f4b8
Opcode Fuzzy Hash: dc8686e18fac17a8589ff620b77f3bfd71bca40468cdeac30a292f54d1e40ac6
Instruction Fuzzy Hash: 9A026D21A1DA83F5EB688F15E8842B827B1EF48B99F540435D90EDB7A1DF7DE846C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66041C61C, Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 157libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C696
GetLastError.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C6A5
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C70F
GetLastError.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C71D
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C754
GetLastError.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C763
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C7A9
GetLastError.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C7B8
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C7FE
GetLastError.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C80D
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C853
GetLastError.KERNEL32(?,?,?,?,?,00007FF66041C573,?,?,?,?,?,00007FF66041C453), ref: 00007FF66041C862

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660313464: TraceMessage.ADVAPI32 ref: 00007FF66031348D

Strings

EventWrite, xrefs: 00007FF66041C74D
EventRegister, xrefs: 00007FF66041C705
EventEnabled, xrefs: 00007FF66041C7F7
EventUnregister, xrefs: 00007FF66041C7A2
EventActivityIdControl, xrefs: 00007FF66041C84C
advapi32.dll, xrefs: 00007FF66041C68F

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressErrorLastProc$Library$FreeHandleLoadMessageModuleTrace
String ID: EventActivityIdControl$EventEnabled$EventRegister$EventUnregister$EventWrite$advapi32.dll
API String ID: 1160421829-2747569715
Opcode ID: f23eaf6f29573eef5d61c475d70ea09db8264552d14523e205bc543ceb155fcb
Instruction ID: 691a7b1d4db5b33c3312a31b9f23d473ec21c780c13245ebfda9045fe58d6f0e
Opcode Fuzzy Hash: f23eaf6f29573eef5d61c475d70ea09db8264552d14523e205bc543ceb155fcb
Instruction Fuzzy Hash: 5C713921A18B43E5FB719B25D84837826B1EF48B48F0418BAC94DCB3A5DF7CE8658B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660318140, Relevance: 25.7, APIs: 17, Instructions: 229filememoryCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF660318189
CreateFileW.KERNEL32 ref: 00007FF6603181F2
GetLastError.KERNEL32 ref: 00007FF660318206
CreateFileW.KERNEL32 ref: 00007FF66031828E
GetLastError.KERNEL32 ref: 00007FF66031829D
GetFileSize.KERNEL32 ref: 00007FF660318307
GetFileSize.KERNEL32 ref: 00007FF660318314
LocalAlloc.KERNEL32 ref: 00007FF66031832C
CloseHandle.KERNEL32 ref: 00007FF6603184C4
CloseHandle.KERNEL32 ref: 00007FF6603184D3
LocalFree.KERNEL32 ref: 00007FF6603184E1
LocalFree.KERNEL32 ref: 00007FF6603184EF

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Local$CloseCreateErrorFreeHandleLastSize$Alloc_wcsicmp
String ID:
API String ID: 3114863935-0
Opcode ID: 6038707e40e5bf8c2904ab3c9c1327aea9180523bc8c5bb0963e2ef9d6294a08
Instruction ID: e4d5f46955ee39becd65098896bacfad9f90662d8db030291b1b93e17acce8a9
Opcode Fuzzy Hash: 6038707e40e5bf8c2904ab3c9c1327aea9180523bc8c5bb0963e2ef9d6294a08
Instruction Fuzzy Hash: A5B1BD61A08A43E1EB648F2AD48437932B1FF48B99F004579CA1DDB7E1DFBCE4958708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660312154, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 168windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32 ref: 00007FF66031217C
EnterCriticalSection.KERNEL32 ref: 00007FF66031219A
LeaveCriticalSection.KERNEL32 ref: 00007FF6603121C3
TranslateAcceleratorW.USER32 ref: 00007FF6603121D9
IsDialogMessageW.USER32 ref: 00007FF6603121EF
TranslateMessage.USER32 ref: 00007FF66031220C
DispatchMessageW.USER32 ref: 00007FF660312217
EnterCriticalSection.KERNEL32 ref: 00007FF660312237
LeaveCriticalSection.KERNEL32 ref: 00007FF66031230F

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660313280: TraceMessage.ADVAPI32 ref: 00007FF6603132FF

GetMessageW.USER32 ref: 00007FF6603123EC

Strings

Could not instantiate remote session, xrefs: 00007FF660312346
spRemoteSession->StartShell failed., xrefs: 00007FF660312391
CTscRemoteSession::CreateInstance failed!, xrefs: 00007FF6603122D4

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$CriticalSection$EnterLeaveTranslate$AcceleratorAddressDialogDispatchFreeHandleLibraryModuleProcTrace
String ID: CTscRemoteSession::CreateInstance failed!$Could not instantiate remote session$spRemoteSession->StartShell failed.
API String ID: 290541506-452829598
Opcode ID: 49c7f25ed7da48566cf2908b80ac8a212be5e9a0dbe4f0316e769658c0d82b61
Instruction ID: fe7063db766f046ef9d9995e8f5c42aacb190d132e761ffcf8f79bef97813eeb
Opcode Fuzzy Hash: 49c7f25ed7da48566cf2908b80ac8a212be5e9a0dbe4f0316e769658c0d82b61
Instruction Fuzzy Hash: 71814925A18A47F1EB608F16E84427837B1FF89B89F580475D90EEB3A4DE3CE865C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660326D38, Relevance: 19.7, APIs: 13, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF660326D9D
SetWindowLongPtrW.USER32 ref: 00007FF660326E16
GetDlgItem.USER32 ref: 00007FF660326E25
GetDlgItem.USER32 ref: 00007FF660326E38
GetWindowRect.USER32 ref: 00007FF660326E4B
GetWindowRect.USER32 ref: 00007FF660326E65
GetWindowRect.USER32 ref: 00007FF660326E74
GetWindowLongPtrW.USER32 ref: 00007FF660326E83
MulDiv.KERNEL32 ref: 00007FF660326EB7
MulDiv.KERNEL32 ref: 00007FF660326EDA
GetLastError.KERNEL32 ref: 00007FF660326F0A
GetLastError.KERNEL32 ref: 00007FF660326F68
SetWindowTextW.USER32 ref: 00007FF660326FB1

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF6603153C0: TraceMessage.ADVAPI32 ref: 00007FF6603153F7

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ErrorLastRect$ItemLong$AddressFreeHandleLibraryMessageModuleProcTextTrace
String ID:
API String ID: 1932915165-0
Opcode ID: 5487f519b8d410255eafe4643679faaac4c08b22078421487f05d3812e648368
Instruction ID: 2e3edd475223c3052c4984e003e3a5474f83d8158c71bf6a6c9bc299e576ff56
Opcode Fuzzy Hash: 5487f519b8d410255eafe4643679faaac4c08b22078421487f05d3812e648368
Instruction Fuzzy Hash: C6717E35A08B46E6EB64CF26E44426A77B0FF88745F000035DA8E9B7A5DF7CE545CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66032696C, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowmemoryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00007FF6603269B4
LoadIconW.USER32 ref: 00007FF660326A1B
ImageList_ReplaceIcon.COMCTL32 ref: 00007FF660326A31
LocalAlloc.KERNEL32 ref: 00007FF660326AFF
memset.MSVCRT ref: 00007FF660326BEC
SendMessageW.USER32 ref: 00007FF660326C24
LocalFree.KERNEL32 ref: 00007FF660326D0E

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660313280: TraceMessage.ADVAPI32 ref: 00007FF6603132FF

Strings

P , xrefs: 00007FF660326992
StringCchCopy failed!, xrefs: 00007FF660326BC2

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeIconImageLoadLocalMessage$AddressAllocHandleLibraryList_ModuleProcReplaceSendTracememset
String ID: P $StringCchCopy failed!
API String ID: 1318645602-3918457494
Opcode ID: 613365afb0eac7aa65db276939283e9ee96c12fc87972ead3573ccb02bc335de
Instruction ID: 0b3982d4e4402ef98bcc2970a54ed9d8dba48600610c9c0f2a5810ae62c55e4c
Opcode Fuzzy Hash: 613365afb0eac7aa65db276939283e9ee96c12fc87972ead3573ccb02bc335de
Instruction Fuzzy Hash: 60B17861A18A87E1EB64DF12E4443B827B1FF84B89F444135DA5EAB391DF7CE851C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66033B1F4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 122COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF66033B23B

Strings

MRU9, xrefs: 00007FF66033B390
MRU5, xrefs: 00007FF66033B344
MRU6, xrefs: 00007FF66033B357
MRU1, xrefs: 00007FF66033B2F8
MRU4, xrefs: 00007FF66033B331
MRU3, xrefs: 00007FF66033B31E
MRU7, xrefs: 00007FF66033B36A
MRU0, xrefs: 00007FF66033B2E5
MRU2, xrefs: 00007FF66033B30B
MRU8, xrefs: 00007FF66033B37D

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsnicmp
String ID: MRU0$MRU1$MRU2$MRU3$MRU4$MRU5$MRU6$MRU7$MRU8$MRU9
API String ID: 1886669725-961220685
Opcode ID: 4d23850aeda26fcd979f4170cf56c7f9a7192b36cdfad91e5e94fdc60ce8f179
Instruction ID: 2dfcaa74e15c3495c9a87a32887a23ab6b00d15ef04747bbfb24e9a707c36075
Opcode Fuzzy Hash: 4d23850aeda26fcd979f4170cf56c7f9a7192b36cdfad91e5e94fdc60ce8f179
Instruction Fuzzy Hash: 59512162A18A87F1FA20DF25D8406E92371FB44789F904432DE4C9F766DE3CE68AC740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6603221AC, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32 ref: 00007FF660322240
SetWindowPlacement.USER32 ref: 00007FF6603222F7
GetWindowRect.USER32 ref: 00007FF66032230D
GetWindowLongW.USER32 ref: 00007FF66032231C
SetWindowLongW.USER32 ref: 00007FF660322333
SetWindowRgn.USER32 ref: 00007FF660322343
SetWindowPos.USER32 ref: 00007FF660322373
ShowWindow.USER32 ref: 00007FF66032238E
LockWindowUpdate.USER32 ref: 00007FF660322396

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660313464: TraceMessage.ADVAPI32 ref: 00007FF66031348D

Strings

2, xrefs: 00007FF66032235B

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LockLongUpdate$AddressFreeHandleLibraryMessageModulePlacementProcRectShowTrace
String ID: 2
API String ID: 980289830-450215437
Opcode ID: cbb3193e64a35b076dcd585add8905eab28121283cd6d01d884f9206d03b157e
Instruction ID: 12b81e251b04d6e50e597d49ccf32fd95f6abb043472c62232c3f91c7bc361d7
Opcode Fuzzy Hash: cbb3193e64a35b076dcd585add8905eab28121283cd6d01d884f9206d03b157e
Instruction Fuzzy Hash: AC617232A18682EAEB54DF35D8503AC3370EB88B49F045131EA0E9A759CF3CE995CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66032061C, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 230windowCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32 ref: 00007FF660320841
DeleteMenu.USER32 ref: 00007FF660320967

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF66031E4BC: memset.MSVCRT ref: 00007FF66031E4E1
Part of subcall function 00007FF66031E4BC: GetMenuItemInfoW.USER32 ref: 00007FF66031E504
Part of subcall function 00007FF66031E4BC: GetLastError.KERNEL32 ref: 00007FF66031E539

Strings

QueryInterface(IID_IMsRdpExtendedSettings) failed!, xrefs: 00007FF6603206C7, 00007FF6603208CC
ZoomLevel, xrefs: 00007FF6603206F8
get_AdvancedSettings2 failed!, xrefs: 00007FF6603207F4
d, xrefs: 00007FF66032074E
Unable to get property UTREG_UI_ZOOM_LEVEL!, xrefs: 00007FF66032073E
ManualClipboardSyncEnabled, xrefs: 00007FF660320900
Unable to get property UTREG_UI_MANUAL_CLIP_SYNC_ENABLED!, xrefs: 00007FF660320946

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$AddressCheckDeleteErrorFreeHandleInfoLastLibraryModuleProcmemset
String ID: ManualClipboardSyncEnabled$QueryInterface(IID_IMsRdpExtendedSettings) failed!$Unable to get property UTREG_UI_MANUAL_CLIP_SYNC_ENABLED!$Unable to get property UTREG_UI_ZOOM_LEVEL!$ZoomLevel$d$get_AdvancedSettings2 failed!
API String ID: 1038980783-3665312683
Opcode ID: 644710e7f55edb0a21daa6204de47009d97c78ec6a4cf6a7ffa20ad999fb6397
Instruction ID: 087cfc67ec3457207a9b8930f3cb301f4f63f92a18d042c01c6a8476273ec30b
Opcode Fuzzy Hash: 644710e7f55edb0a21daa6204de47009d97c78ec6a4cf6a7ffa20ad999fb6397
Instruction Fuzzy Hash: D3B14E26A18B47E5EB60CF26D8506A937B1FB88B88F504036DE0E9B765DF3CE155C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660328990, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32 ref: 00007FF6603289DC
RealizePalette.GDI32 ref: 00007FF6603289E8
SelectPalette.GDI32 ref: 00007FF660328A28
GetClientRect.USER32 ref: 00007FF660328A4E
CreateSolidBrush.GDI32 ref: 00007FF660328A59
SelectObject.GDI32 ref: 00007FF660328A65
PatBlt.GDI32 ref: 00007FF660328A88

Strings

!, xrefs: 00007FF660328A7A

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: PaletteSelect$BrushClientCreateObjectRealizeRectSolid
String ID: !
API String ID: 1484475077-2657877971
Opcode ID: 550435d5c0a35eb7f6767441fb7ab1bd32710c010bb9a53b649da91e86770db2
Instruction ID: 0225d7bf564c9086a2dd7f3a89d888e17c20d905dd1532981186abd686e2bef1
Opcode Fuzzy Hash: 550435d5c0a35eb7f6767441fb7ab1bd32710c010bb9a53b649da91e86770db2
Instruction Fuzzy Hash: 7831903271A642D2EA688B16A8142796370FF88F81F085131DE4E8FB54CF3CE8918740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660329630, Relevance: 13.7, APIs: 9, Instructions: 200windowtimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00007FF6603296C8
IsWindow.USER32 ref: 00007FF6603296F3
ShowWindow.USER32 ref: 00007FF660329816
SetForegroundWindow.USER32 ref: 00007FF66032982A
SetFocus.USER32 ref: 00007FF660329845
GetLastError.KERNEL32 ref: 00007FF660329850
ShowWindow.USER32 ref: 00007FF66032989F

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF6603153C0: TraceMessage.ADVAPI32 ref: 00007FF6603153F7

IsWindowVisible.USER32 ref: 00007FF6603298D1
ShowWindow.USER32 ref: 00007FF66032992A

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$AddressErrorFocusForegroundFreeHandleKillLastLibraryMessageModuleProcTimerTraceVisible
String ID:
API String ID: 467989063-0
Opcode ID: 1a44a677f684e087012cbbbe8fce5cf1a15e0d67fae4beca5e96f9eb2a76cb10
Instruction ID: 5bdcdae673c4a841b0b92abb5ee7315de35805a1e97f31df1841c2f9092d046c
Opcode Fuzzy Hash: 1a44a677f684e087012cbbbe8fce5cf1a15e0d67fae4beca5e96f9eb2a76cb10
Instruction Fuzzy Hash: AF918F22A18B43E6EB649F16D44037977B1FF84B89F084436CA4E9B7A1CF7CE4568784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660321A1C, Relevance: 13.6, APIs: 9, Instructions: 66windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF660321A36
ShowWindow.USER32 ref: 00007FF660321A42

Part of subcall function 00007FF660324FD8: TraceMessage.ADVAPI32 ref: 00007FF660324FEB

IsWindow.USER32 ref: 00007FF660321A82
SendMessageW.USER32 ref: 00007FF660321A9E
ShowWindow.USER32 ref: 00007FF660321AAE
SetForegroundWindow.USER32 ref: 00007FF660321ABB
InvalidateRect.USER32 ref: 00007FF660321ACE
UpdateWindow.USER32 ref: 00007FF660321ADB

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$Message$ForegroundInvalidateRectSendTraceUpdate
String ID:
API String ID: 3422817459-0
Opcode ID: 3fec9ec135b8ea88dd65aaa3116ebbd43a9929fb33735f9b3467163c3bdbf219
Instruction ID: 6dff7770ff49c7709d39e4880adbcacc5d306cbd77ec76dc05a0124fbd9f1c13
Opcode Fuzzy Hash: 3fec9ec135b8ea88dd65aaa3116ebbd43a9929fb33735f9b3467163c3bdbf219
Instruction Fuzzy Hash: 34310731A09A82E5EBA48F21E5943B82371EFE4B49F154031CE0E9A7A4DF7DE4A5C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66032B944, Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF66032B973
GetLastError.KERNEL32 ref: 00007FF66032B9D8
GetDlgItem.USER32 ref: 00007FF66032BA44
GetClientRect.USER32 ref: 00007FF66032BA5A
InvalidateRect.USER32 ref: 00007FF66032BA6E
MapWindowPoints.USER32 ref: 00007FF66032BA89
RedrawWindow.USER32 ref: 00007FF66032BAA4
SetDlgItemTextW.USER32 ref: 00007FF66032BABB

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemRectWindow$ClientErrorInvalidateLastPointsRedrawTextmemset
String ID:
API String ID: 2854542884-0
Opcode ID: a934f4a9dc8ebad39404a719b893e6c6775c5ef1f49ffcdb381c7c98660f0542
Instruction ID: 6562b599e31fd7968c9f3ec30aeedcba149e36c3d56b3c2ab19aefd308d028e1
Opcode Fuzzy Hash: a934f4a9dc8ebad39404a719b893e6c6775c5ef1f49ffcdb381c7c98660f0542
Instruction Fuzzy Hash: DC419C31B1CA83E2FB648B15E4543A963B0FF94B85F504032DA4E9BB94DF3CE5668740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6603291D0, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF660329B88: GetClientRect.USER32 ref: 00007FF660329BBB
Part of subcall function 00007FF660329B88: RedrawWindow.USER32 ref: 00007FF660329BDD

GetLastError.KERNEL32(?,00000000,?,00000000,?,00007FF660326226), ref: 00007FF6603292FE
GetLastError.KERNEL32(?,00000000,?,00000000,?,00007FF660326226), ref: 00007FF6603294E9

Part of subcall function 00007FF66032A400: SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,00007FF660329523,?,00000000,?,00000000), ref: 00007FF66032A440
Part of subcall function 00007FF66032A400: memset.MSVCRT ref: 00007FF66032A462
Part of subcall function 00007FF66032A400: SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,00007FF660329523,?,00000000,?,00000000), ref: 00007FF66032A485
Part of subcall function 00007FF66032A400: lstrcmpiW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF660329523,?,00000000,?,00000000), ref: 00007FF66032A49C
Part of subcall function 00007FF66032A400: SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,00007FF660329523,?,00000000,?,00000000), ref: 00007FF66032A510
Part of subcall function 00007FF66032A400: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF660329523,?,00000000,?,00000000), ref: 00007FF66032A55C
Part of subcall function 00007FF66032A400: SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,00007FF660329523,?,00000000,?,00000000), ref: 00007FF66032A579

ShellMessageBoxW.SHLWAPI ref: 00007FF660329551
GetLastError.KERNEL32(?,00000000,?,00000000,?,00007FF660326226), ref: 00007FF66032948A

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF6603251F4: TraceMessage.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF66032F2DD), ref: 00007FF66032527D

Part of subcall function 00007FF6603173EC: _vsnwprintf.MSVCRT ref: 00007FF66031742C

Strings

StringCchPrintf failed, xrefs: 00007FF6603293E7
@, xrefs: 00007FF660329543

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ErrorLast$Free$AddressClientHandleLibraryLocalModuleProcRectRedrawShellTraceWindow_vsnwprintflstrcmpimemset
String ID: @$StringCchPrintf failed
API String ID: 2587269334-1862382763
Opcode ID: fa4c47c557d98a4db4b3319c8ea4de6c1cce0f26de5cc83657fc1a0041844b5d
Instruction ID: 1561e31db89c8be4b9eb8304495c93291c8f3f8bc39316c8e6d0b01961cc6dcf
Opcode Fuzzy Hash: fa4c47c557d98a4db4b3319c8ea4de6c1cce0f26de5cc83657fc1a0041844b5d
Instruction Fuzzy Hash: 3FC18E62A1C643F2EB61DF15D4402B922B1FF85B49F240032DA4DEB7A6CE3DE956C784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66035DA14, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FF66035DA41
GetKeyboardLayout.USER32 ref: 00007FF66035DABB
LCIDToLocaleName.KERNEL32(?,?,?,?,?,00007FF660321572), ref: 00007FF66035DAD8
GetSystemMetrics.USER32 ref: 00007FF66035DB5C

Strings

StringCchPrintf failed, xrefs: 00007FF66035DB3D
Unknown, xrefs: 00007FF66035DAE2

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64KeyboardLayoutLocaleMetricsNameSystemTick
String ID: StringCchPrintf failed$Unknown
API String ID: 4038692497-1152532009
Opcode ID: 68c908f984fc89b3358ad2c9212de2f52d6f3327889514083022d4df889ed686
Instruction ID: 06c660d13d562a5a0c8cc1eac4233c7cb52d7bbdcdf1ebe9c9fed270c38b4aa2
Opcode Fuzzy Hash: 68c908f984fc89b3358ad2c9212de2f52d6f3327889514083022d4df889ed686
Instruction Fuzzy Hash: 88519D66A18A42EAFB628F25E8547B963B0FF48349F404135DA4CDB7A1EF3CE585C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66031E5E0, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32 ref: 00007FF66031E6C8

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Strings

QueryInterface(IID_IMsRdpExtendedSettings) failed!, xrefs: 00007FF66031E726
d, xrefs: 00007FF66031E792
ZoomLevel, xrefs: 00007FF66031E73A
get_AdvancedSettings2 failed!, xrefs: 00007FF66031E666
get_Property(UTREG_UI_ZOOM_LEVEL) failed!, xrefs: 00007FF66031E77F

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCheckFreeHandleItemLibraryMenuModuleProc
String ID: QueryInterface(IID_IMsRdpExtendedSettings) failed!$ZoomLevel$d$get_AdvancedSettings2 failed!$get_Property(UTREG_UI_ZOOM_LEVEL) failed!
API String ID: 2554005805-433722845
Opcode ID: 4ec17adc08d81ef33bb9900209c5db341b0079008c4d6fd87209fb423eefeefe
Instruction ID: 0ecbc9c5863f6614708ce56274b73f6ae2fa4c5f87356b8be01f0d6dfa162394
Opcode Fuzzy Hash: 4ec17adc08d81ef33bb9900209c5db341b0079008c4d6fd87209fb423eefeefe
Instruction Fuzzy Hash: 5C513D26A08B57E5FB609F25D8802683771FF88B89F045171DE0D9BBA4EF3EE4958340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660330948, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 343COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF660330DBF
SysFreeString.OLEAUT32 ref: 00007FF660330E28
GetLastError.KERNEL32 ref: 00007FF660330D21

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660319E60: TraceMessage.ADVAPI32 ref: 00007FF660319EA3

Strings

GetErrorDescription failed, xrefs: 00007FF660330DAE
QI for IID_IMsRdpClient5 failed!, xrefs: 00007FF660330B24

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$AddressErrorHandleLastLibraryMessageModuleProcTrace
String ID: GetErrorDescription failed$QI for IID_IMsRdpClient5 failed!
API String ID: 1594537563-4244303628
Opcode ID: 14ea000fb55a51295de3db0960e7969136f9865173e4d2cf1132f366c78fff47
Instruction ID: b96dd58de9fb31c587e3bbc3a221a09c506ebce80fc5ecc4f9080762b32a4646
Opcode Fuzzy Hash: 14ea000fb55a51295de3db0960e7969136f9865173e4d2cf1132f366c78fff47
Instruction Fuzzy Hash: 4FF15E21A1CA87E1EA688F16D4A437927B1FF88B49F044432DA4DEF7A1DF7CE8458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66032CA30, Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF66032CA73
GetLastError.KERNEL32 ref: 00007FF66032CA7F

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF6603153C0: TraceMessage.ADVAPI32 ref: 00007FF6603153F7

CoTaskMemAlloc.OLE32 ref: 00007FF66032CAE3
MultiByteToWideChar.KERNEL32 ref: 00007FF66032CB08
GetLastError.KERNEL32 ref: 00007FF66032CB12
CoTaskMemFree.OLE32 ref: 00007FF66032CB64

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharErrorFreeLastMultiTaskWide$AddressAllocHandleLibraryMessageModuleProcTrace
String ID:
API String ID: 3520896544-0
Opcode ID: 8193dfdcba8c9ec886eb346076ffd2d6cfc39823f9bc5ad44af8a231924f5139
Instruction ID: 82162aa447ce9a3dd6f1aee7cda2b1d395d3f310ec5a719c8e3bf04df94da021
Opcode Fuzzy Hash: 8193dfdcba8c9ec886eb346076ffd2d6cfc39823f9bc5ad44af8a231924f5139
Instruction Fuzzy Hash: F5417A32A18B43E2EB24CF56A84527966B1FF88B88F044935CA4DDB3A1DF7CE4558784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66032A170, Relevance: 9.1, APIs: 6, Instructions: 67windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF660329249,?,00000000,?,00000000), ref: 00007FF66032A19F
memset.MSVCRT ref: 00007FF66032A1C6
SendMessageW.USER32 ref: 00007FF66032A1EB
lstrcmpiW.KERNEL32 ref: 00007FF66032A1F9
LocalFree.KERNEL32 ref: 00007FF66032A24E
SendMessageW.USER32 ref: 00007FF66032A26E

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$FreeLocallstrcmpimemset
String ID:
API String ID: 2915578346-0
Opcode ID: 6229db6c52d8f68083a78ef2c00673d795d8b9a6373336e2b779f3866adaabe3
Instruction ID: 7ac44ce635efa7dc0172b9ae06ba2796365d554f3c7184b0dee3b4b3e7e6c158
Opcode Fuzzy Hash: 6229db6c52d8f68083a78ef2c00673d795d8b9a6373336e2b779f3866adaabe3
Instruction Fuzzy Hash: 82317136618A82E6EB50CF11E89476A7370FB84B85F448031EE4E9BB54CF7DD4558B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66032FDEC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

SysStringLen.OLEAUT32 ref: 00007FF66032FF16
SetDlgItemTextW.USER32 ref: 00007FF66032FF2E
SysFreeString.OLEAUT32 ref: 00007FF66032FF39

Strings

GetErrorDescription failed, xrefs: 00007FF66032FF00
QueryInterface(IID_IMsRdpClient7) failed!, xrefs: 00007FF66032FE7A

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$AddressHandleItemLibraryModuleProcText
String ID: GetErrorDescription failed$QueryInterface(IID_IMsRdpClient7) failed!
API String ID: 891591807-2578008790
Opcode ID: 23f09ab8f9cac6f7785964e69822001b405b45b0950c5a49d0326dd907d198b8
Instruction ID: 8015fa84753746f839aba9947ad0477fc0a9ca9e089e66310b422b8e1f34a182
Opcode Fuzzy Hash: 23f09ab8f9cac6f7785964e69822001b405b45b0950c5a49d0326dd907d198b8
Instruction Fuzzy Hash: 29514521A2CA47F6EB208F12E54437827B1FF85B89F544032DA0D9B7A5DF7CE8558B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660318DFC, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121fileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF660317EC5), ref: 00007FF660318EBC

Part of subcall function 00007FF660318510: GetVersionExW.KERNEL32 ref: 00007FF66031855E
Part of subcall function 00007FF660318510: GetLastError.KERNEL32 ref: 00007FF66031856F
Part of subcall function 00007FF660318510: SetForegroundWindow.USER32 ref: 00007FF660318672
Part of subcall function 00007FF660318510: memset.MSVCRT ref: 00007FF660318710

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

DeleteFileW.KERNEL32(?,?,?,?,?,00007FF660317EC5), ref: 00007FF660318FA2

Strings

Invalid CopyData params, xrefs: 00007FF660318F60
Failed to start remote application, xrefs: 00007FF660318F19
W, xrefs: 00007FF660318F58

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule$AddressDeleteErrorFileForegroundFreeLastLibraryProcVersionWindowmemset
String ID: Failed to start remote application$Invalid CopyData params$W
API String ID: 3775601900-358040794
Opcode ID: e992bb3bd99214138918b6729159f6877dc7763288f29cab91deaf7a09b66016
Instruction ID: edf347af08ef38eb8d35ac54135e4d2761f600e0b6d3c6f8cfef08d3f6298b9e
Opcode Fuzzy Hash: e992bb3bd99214138918b6729159f6877dc7763288f29cab91deaf7a09b66016
Instruction Fuzzy Hash: D2518C21A19643F5EB258F15E44027836B2FF48B89F584875D90CAF3A1DFBCE952C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660311220, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF660313260: InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,00007FF660311270), ref: 00007FF660313264

GetCurrentThreadId.KERNEL32 ref: 00007FF660311296
CoInitialize.OLE32 ref: 00007FF6603112CE
GetModuleHandleW.KERNEL32 ref: 00007FF6603112E6
memset.MSVCRT ref: 00007FF660311360

Strings

Mscoree.dll, xrefs: 00007FF6603112DF

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$CriticalCurrentHandleModuleSectionThreadmemset
String ID: Mscoree.dll
API String ID: 221608614-4150509846
Opcode ID: c54cbfd595d16f541a992261299831132c741e9ed920799078260a44603d18d9
Instruction ID: e0932605c505e99133863a7edf5f84522fd4ede22dace84617b73d6d96ef1d3e
Opcode Fuzzy Hash: c54cbfd595d16f541a992261299831132c741e9ed920799078260a44603d18d9
Instruction Fuzzy Hash: A141D271E2C647F5F7219B12E8593B423B0AF28349F44517AE40ECE3A1EF6CA499C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660314184, Relevance: 7.6, APIs: 5, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6603141DE
RegCloseKey.ADVAPI32 ref: 00007FF6603141F8
RegEnumKeyExW.ADVAPI32 ref: 00007FF66031425A
RegCloseKey.ADVAPI32 ref: 00007FF66031426E
RegCloseKey.ADVAPI32 ref: 00007FF660314291

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 4e0538b62df95c1ff34e6a131833d55c9f49514b363a88ef3207f67c625e9cfa
Instruction ID: 803128777974c24d1d85312bfcdde804f063304f86f8f1b280a0ffce4d0b27d9
Opcode Fuzzy Hash: 4e0538b62df95c1ff34e6a131833d55c9f49514b363a88ef3207f67c625e9cfa
Instruction Fuzzy Hash: F5315D32609B42D2EB60DB65F49036A73B4FB8D789F100135EA8D8BB64DF3CD4858B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66031AE0C, Relevance: 7.6, APIs: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00007FF66031AEA9
SendMessageW.USER32 ref: 00007FF66031AEC0
LoadImageW.USER32 ref: 00007FF66031AEDE
LoadIconW.USER32 ref: 00007FF66031AEF7
SendMessageW.USER32 ref: 00007FF66031AF13

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$ImageMessageSend$Icon
String ID:
API String ID: 3961356912-0
Opcode ID: 5f32fff40c7ead2b88519c0b9a816f2d386761f456ad213ec1a7f107d87a746f
Instruction ID: 59577c15b5ebf8e45f46e2fd4f31592c73e455fd400be87e692dbf5740e1b027
Opcode Fuzzy Hash: 5f32fff40c7ead2b88519c0b9a816f2d386761f456ad213ec1a7f107d87a746f
Instruction Fuzzy Hash: F7314C32A09A42E6E7608F16D44076973B1FB88B86F188139CE4D9B7A4DF3DE4568B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660319278, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF660319299

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660313464: TraceMessage.ADVAPI32 ref: 00007FF66031348D

Strings

CTscRemoteSession::StartShell failed, xrefs: 00007FF660319369
pos, xrefs: 00007FF6603194B2
CTscRemoteSession::CreateInstance failed, xrefs: 00007FF6603192EF

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule$AddressFreeLibraryMessageProcTrace
String ID: CTscRemoteSession::CreateInstance failed$CTscRemoteSession::StartShell failed$pos
API String ID: 1798875003-6731281
Opcode ID: 9244916c15709fc7159675e565e7cbfee86b9957f93d05ebbee2eacb72ba5f8c
Instruction ID: 9588a5e8b22cbf54f1b66d6fb89f180aeb7c7e22c5ed32a34c8db87a193d61ba
Opcode Fuzzy Hash: 9244916c15709fc7159675e565e7cbfee86b9957f93d05ebbee2eacb72ba5f8c
Instruction Fuzzy Hash: 66715621A18B57E1EB24CF16D8403A837B1FB88B89F0500B6DE4DAB7A5DF7CE5468740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6603605B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32 ref: 00007FF66036060B
ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF66036062E
RegCloseKey.ADVAPI32 ref: 00007FF660360674

Strings

mstsc.chm, xrefs: 00007FF6603605B7

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnvironmentExpandQueryStringsValue
String ID: mstsc.chm
API String ID: 3208834983-3064083418
Opcode ID: c78b735a481798fea92a6f4ccb24d4227d91a1663a27deac62cbae82c9cbc698
Instruction ID: e4cfc6ae84bac2691563b6660d97629dd6a84ee5728e7cd6227919c5a825a7a6
Opcode Fuzzy Hash: c78b735a481798fea92a6f4ccb24d4227d91a1663a27deac62cbae82c9cbc698
Instruction Fuzzy Hash: 5E21C432728A92D5EB618F16E5543AB67B4EB88B80F444135DF8D8BB54CF3CD565CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66032B5C0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF66032B5DD
GetDeviceCaps.GDI32 ref: 00007FF66032B5F1
ReleaseDC.USER32 ref: 00007FF66032B5FE

Strings

gfff, xrefs: 00007FF66032B644

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceRelease
String ID: gfff
API String ID: 127614599-1553575800
Opcode ID: fb3d6f48aca1b3758450430e86b4487c5366f15e24e8309b45cf5bfd503896fc
Instruction ID: 77d19edadf00bbaabf8ec8f65d5670df6471a5c6fd1c024c2a3a0b82dee2d1e9
Opcode Fuzzy Hash: fb3d6f48aca1b3758450430e86b4487c5366f15e24e8309b45cf5bfd503896fc
Instruction Fuzzy Hash: B211C632B08747E2EB688A69E48413D22B2FB88751F494535DA4EDF794DF3CF4598780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660397180, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6603971AB
MonitorFromWindow.USER32 ref: 00007FF6603971BE
GetMonitorInfoW.USER32 ref: 00007FF6603971D9

Strings

(, xrefs: 00007FF6603971CE

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Monitor$FromInfoWindowmemset
String ID: (
API String ID: 3243216283-3887548279
Opcode ID: 93ed731345ed01cb9e8c315d8fb4862329ba62bca75612ff92fd607092735642
Instruction ID: 4fac19518b06222e6dba1ba0e8cedda9019d7863b2bce69f90aa7accef804408
Opcode Fuzzy Hash: 93ed731345ed01cb9e8c315d8fb4862329ba62bca75612ff92fd607092735642
Instruction Fuzzy Hash: F3014872A14602D6EB209F16E95526A73B0EF98B95F448130DB8D8B794EE3CD9958F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660327A04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF660327A2E
SetWindowLongPtrW.USER32 ref: 00007FF660327A4B
SetWindowPos.USER32 ref: 00007FF660327A6E

Strings

7, xrefs: 00007FF660327A51

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long
String ID: 7
API String ID: 847901565-1790921346
Opcode ID: 358decb5ba6fc39ad897cdbf493622d2b440b73540b719a5397f32a20681ffb5
Instruction ID: 232a5c505390e116babe6f8d5f56b9edb3957c61a034fce47732c7bd7af7769a
Opcode Fuzzy Hash: 358decb5ba6fc39ad897cdbf493622d2b440b73540b719a5397f32a20681ffb5
Instruction Fuzzy Hash: 0D01D622A18691D3E3708B16E98573E6261FB84BE9F148234EE5997F98CF3CC4458B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660323570, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF660319B0C: MultiByteToWideChar.KERNEL32 ref: 00007FF660319B74

CreateRectRgnIndirect.GDI32 ref: 00007FF6603235A7
CombineRgn.GDI32 ref: 00007FF6603235BF
DeleteObject.GDI32 ref: 00007FF6603235C8

Strings

(, xrefs: 00007FF66032358E

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCombineCreateDeleteIndirectMultiObjectRectWide
String ID: (
API String ID: 3328644174-3887548279
Opcode ID: 3725a1635e4039e837c041fb8681c93f58811114c6879b0b16dc0762e6b453f0
Instruction ID: 04f3543e717a6ec6eabb6e7595e0a87195b41c4c95d301a87bba66abc75b1f9e
Opcode Fuzzy Hash: 3725a1635e4039e837c041fb8681c93f58811114c6879b0b16dc0762e6b453f0
Instruction Fuzzy Hash: C7F08C71A09B02D2EA109B12F90926A7370EF8CBC4F401131EE4E8B765DF2CD5448B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660317580, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF660317602
memset.MSVCRT ref: 00007FF660317645
memset.MSVCRT ref: 00007FF660317690

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660313464: TraceMessage.ADVAPI32 ref: 00007FF66031348D

Strings

CTscRemoteSessionsManager, xrefs: 00007FF660317596

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AddressFreeHandleLibraryMessageModuleProcTrace
String ID: CTscRemoteSessionsManager
API String ID: 2883347319-3436837636
Opcode ID: 9e9cc0398561ad37a8f95b1ba92c64882dde7c6af5d3ad0bcc67dc1e60cbbf05
Instruction ID: 45a7e93d6ddc5349d5e6b8a89ce2cbc1de1ed82172f1512e49beb24ed2423928
Opcode Fuzzy Hash: 9e9cc0398561ad37a8f95b1ba92c64882dde7c6af5d3ad0bcc67dc1e60cbbf05
Instruction Fuzzy Hash: B4417C72618B91E6E718CF26E98029877B8FB48B44F504136E7AD87760DF39E672C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6604321E0, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF6604322B3
RtlLookupFunctionEntry.NTDLL ref: 00007FF6604322D2
RtlVirtualUnwind.NTDLL ref: 00007FF66043231F
__raise_securityfailure.LIBCMT ref: 00007FF660432404

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 7c570f01fec3b91544aebf3eb311912d0d375704b3f53a480b82d87748a00ba7
Instruction ID: 152428dd66f138f6391f51675bca79d42843b3bee38b5dc4c44a994ea92707f0
Opcode Fuzzy Hash: 7c570f01fec3b91544aebf3eb311912d0d375704b3f53a480b82d87748a00ba7
Instruction Fuzzy Hash: 0E41C775A18F11E1EA648B1AF8903657374FF88744F901136DA8D8B764EF7DE464CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66033EE1C, Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CM_Get_Child.CFGMGR32 ref: 00007FF66033EE4D

Part of subcall function 00007FF66033EE1C: CM_Get_DevNode_Registry_PropertyW.CFGMGR32 ref: 00007FF66033EE9A
Part of subcall function 00007FF66033EE1C: CLSIDFromString.OLE32 ref: 00007FF66033EEB2
Part of subcall function 00007FF66033EE1C: CM_Get_Sibling.CFGMGR32 ref: 00007FF66033EED9

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Get_$ChildFromNode_PropertyRegistry_SiblingString
String ID:
API String ID: 925555955-0
Opcode ID: 47db6d0964daa8d62d6cfd0aeb58f763ba6b2473ee326ad0938f4fc71e622a4e
Instruction ID: 8c93aa3360ed6356db3ff23c1bf92ebf14b9bbc4382b79e8beabfe3a96ef7237
Opcode Fuzzy Hash: 47db6d0964daa8d62d6cfd0aeb58f763ba6b2473ee326ad0938f4fc71e622a4e
Instruction Fuzzy Hash: 92213E22B04A52EAFB648FA1D5907ED2370AB58749F500035DE0D6AB98EF38E956C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66032CD38, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66032CD87
memcpy.MSVCRT ref: 00007FF66032CDE2

Strings

\, xrefs: 00007FF66032CDC0
\, xrefs: 00007FF66032CDBA

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: \$\
API String ID: 3510742995-164819647
Opcode ID: 8b74d6e1f8a14856848c516adc9ba5f3dfa356dea5268a121950f8f13dfa16d4
Instruction ID: c4c08540fe9ec00a85a78f01e0b5b9b72fe228e6d26b423e99315839115f00be
Opcode Fuzzy Hash: 8b74d6e1f8a14856848c516adc9ba5f3dfa356dea5268a121950f8f13dfa16d4
Instruction Fuzzy Hash: BE21D512A04652E0EB209F19E9401386BB0FB68FE5F054B30CE6EAB7D5DF7CE4918380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6603581CC, Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6603581F2
VerSetConditionMask.KERNEL32 ref: 00007FF660358219
VerSetConditionMask.KERNEL32 ref: 00007FF66035822A
VerifyVersionInfoW.KERNEL32 ref: 00007FF66035823D

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: ba104497eb9d9a4ae2a9dd2253f4b3acbd7610eca4c0b4f34eeec0c6a48aac07
Instruction ID: 566af25b65b2b371d1b61ac540e261dc06b58f9382e97e3ecab3df96d60deb58
Opcode Fuzzy Hash: ba104497eb9d9a4ae2a9dd2253f4b3acbd7610eca4c0b4f34eeec0c6a48aac07
Instruction Fuzzy Hash: 6BF08C75A08681C2EB349B12F4163AA73A0FB8D744F401035CA9D4B799CF3CD5058B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660311D78, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

CoRegisterClassObject.OLE32 ref: 00007FF660311E40
CoRegisterClassObject.OLE32 ref: 00007FF660311EFD

Strings

(*ppEntry)->RegisterClassObject failed!, xrefs: 00007FF660311F66

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassObjectRegister
String ID: (*ppEntry)->RegisterClassObject failed!
API String ID: 352222023-1667970102
Opcode ID: 2f4d3a96e3fdbe854b1850faadd91ddcef6472206514d66b423256d4f681926d
Instruction ID: e2477e9b404ea44b8f8193cba6514dc6ebcf7ae835440d1ee3415c817d4f1c10
Opcode Fuzzy Hash: 2f4d3a96e3fdbe854b1850faadd91ddcef6472206514d66b423256d4f681926d
Instruction Fuzzy Hash: 4E512832B18B17E5EB618F56D8802A837B1FB68B89F004576CB4DABB64DF3CE5558340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF66031BD57, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF66032BEA0: LoadLibraryW.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF66031BE49), ref: 00007FF66032BED3

ShellMessageBoxW.SHLWAPI ref: 00007FF66031BF46

Part of subcall function 00007FF66032BC68: GetLastError.KERNEL32 ref: 00007FF66032BC97
Part of subcall function 00007FF66032BC68: LoadCursorW.USER32 ref: 00007FF66032BCC6
Part of subcall function 00007FF66032BC68: GetStockObject.GDI32 ref: 00007FF66032BCD4
Part of subcall function 00007FF66032BC68: RegisterClassExW.USER32 ref: 00007FF66032BCF5
Part of subcall function 00007FF66032BC68: GetLastError.KERNEL32 ref: 00007FF66032BD01
Part of subcall function 00007FF66032BC68: GetLastError.KERNEL32 ref: 00007FF66032BD39

Strings

OnPreCreateControl failed, xrefs: 00007FF66031BE30
CreateExtension failed, xrefs: 00007FF66031BD9A

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$LibraryLoad$AddressClassCursorFreeHandleMessageModuleObjectProcRegisterShellStock
String ID: CreateExtension failed$OnPreCreateControl failed
API String ID: 4015291541-755349371
Opcode ID: 0fe41b02e42a6f0671af87f8dbd0988f99630d7e05a44ac46d33427ce693c950
Instruction ID: 37a17dd97299733cb5f04766b898e924168946d3fbdec6ed8c14c5bfff0c1e3a
Opcode Fuzzy Hash: 0fe41b02e42a6f0671af87f8dbd0988f99630d7e05a44ac46d33427ce693c950
Instruction Fuzzy Hash: 0B513B21A08A47F6EB649F26D8442B837B1FB88789F500076DA4DEF7A1DF3CE5568740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF660324980, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00007FF6603249A1
PostMessageW.USER32 ref: 00007FF660324A34

Part of subcall function 00007FF6603133DC: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313410
Part of subcall function 00007FF6603133DC: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313426
Part of subcall function 00007FF6603133DC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF66042E1AD), ref: 00007FF660313446

Part of subcall function 00007FF660313280: TraceMessage.ADVAPI32 ref: 00007FF6603132FF

Strings

put_FullScreen failed!, xrefs: 00007FF660324A0A

Memory Dump Source

Source File: 00000016.00000002.378618994.00007FF660311000.00000020.00020000.sdmp, Offset: 00007FF660310000, based on PE: true

Associated: 00000016.00000002.378602816.00007FF660310000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379188150.00007FF660434000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379303184.00007FF66046A000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.379312564.00007FF66046D000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379324665.00007FF660477000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379383200.00007FF660515000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379394535.00007FF66051C000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379406671.00007FF660527000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.379434886.00007FF66053F000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$AddressFreeHandleInfoLibraryModuleParametersPostProcSystemTrace
String ID: put_FullScreen failed!
API String ID: 2397186937-1360584600
Opcode ID: 750bf6bf0291d43e8bde3ca2a32bbe72e4c5374da448a7d02ec44634586f2f51
Instruction ID: d09259cec051203565d0cfb1b96b814adaac9fe26ba6a8cf0714513b22d4249b
Opcode Fuzzy Hash: 750bf6bf0291d43e8bde3ca2a32bbe72e4c5374da448a7d02ec44634586f2f51
Instruction Fuzzy Hash: 39218122B18A43E2EB64CF69E44467967B1FBC8789F604035CA0D8B761DE3CE4558B44

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 2JlIMkLNXh

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage