Play interactive tour

Edit tour

Windows Analysis Report A1ogRC4R34

Overview

General Information

Sample Name:	A1ogRC4R34 (renamed file extension from none to dll)
Analysis ID:	492806
MD5:	5edd6ba336c4de29f55cadfd2167a67e
SHA1:	af181a8f3fe25a515a8fe2a02559e5daceecf976
SHA256:	eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Accesses ntoskrnl, likely to find offsets for exploits

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

Drops files with a non-matching file extension (content does not match file extension)

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Binary contains a suspicious time stamp

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7096 cmdline: loaddll64.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)

cmd.exe (PID: 3192 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 6396 cmdline: rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6408 cmdline: rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rdpinit.exe (PID: 6372 cmdline: C:\Windows\system32\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)

rdpinit.exe (PID: 5620 cmdline: C:\Users\user\AppData\Local\fID\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)

DmNotificationBroker.exe (PID: 4592 cmdline: C:\Windows\system32\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)

DmNotificationBroker.exe (PID: 5212 cmdline: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)

BitLockerWizardElev.exe (PID: 4916 cmdline: C:\Windows\system32\BitLockerWizardElev.exe MD5: 3104EA9ECCA9ED71A382CCAAD618CEAE)

BitLockerWizardElev.exe (PID: 6400 cmdline: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe MD5: 3104EA9ECCA9ED71A382CCAAD618CEAE)

wusa.exe (PID: 3676 cmdline: C:\Windows\system32\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)

wusa.exe (PID: 964 cmdline: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)

SystemPropertiesAdvanced.exe (PID: 6548 cmdline: C:\Windows\system32\SystemPropertiesAdvanced.exe MD5: 82ED6250B9AA030DDC13DC075D2C16E3)

SystemPropertiesAdvanced.exe (PID: 6656 cmdline: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe MD5: 82ED6250B9AA030DDC13DC075D2C16E3)

unregmp2.exe (PID: 7140 cmdline: C:\Windows\system32\unregmp2.exe MD5: 9B517303C58CA8A450B97B0D71594CBB)

rundll32.exe (PID: 6492 cmdline: rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3684 cmdline: rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000028.00000002.476229981.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000007.00000002.248393203.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.327777249.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000018.00000002.356788011.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001F.00000002.390772898.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000026.00000002.449479227.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.234114370.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000006.00000002.241053387.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000022.00000002.416996891.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: A1ogRC4R34.dll	Virustotal: Detection: 62%	Perma Link
Source: A1ogRC4R34.dll	Metadefender: Detection: 57%	Perma Link
Source: A1ogRC4R34.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Show sources

Source: A1ogRC4R34.dll

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\fID\WINSTA.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\uBsjD\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	Avira: detection malicious, Label: HEUR/AGEN.1114452

Machine Learning detection for sample

Show sources

Source: A1ogRC4R34.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\fID\WINSTA.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uBsjD\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A82D94 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,

24_2_00007FF785A82D94

Exploits:

Accesses ntoskrnl, likely to find offsets for exploits

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\system32\ntkrnlmp.exe

Jump to behavior

Source: A1ogRC4R34.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005D290 FindFirstFileExW,

1_2_000000014005D290

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000028.00000002.476229981.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.248393203.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327777249.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.356788011.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.390772898.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.449479227.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.234114370.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.241053387.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.416996891.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034870	1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035270	1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140048AC0	1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C340	1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140065B80	1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0	1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400524B0	1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026CC0	1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004BD40	1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400495B0	1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036F30	1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069010	1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001010	1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140066020	1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F840	1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D850	1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064080	1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140010880	1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400688A0	1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D0D0	1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400018D0	1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016100	1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D100	1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A110	1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D910	1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015120	1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000B120	1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F940	1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140039140	1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023140	1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057950	1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E170	1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002980	1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400611A0	1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400389A0	1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400381A0	1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E1B0	1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400139D0	1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400319F0	1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EA00	1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022A00	1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B220	1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067A40	1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069A50	1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007A60	1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003AAC0	1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A2E0	1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140062B00	1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018300	1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FB20	1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031340	1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022340	1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017B40	1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BB40	1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004EB60	1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005370	1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CB80	1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B390	1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140054BA0	1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033BB0	1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400263C0	1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400123C0	1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063BD0	1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400663F0	1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023BF0	1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B41B	1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B424	1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B42D	1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B436	1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B43D	1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024440	1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005C40	1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B446	1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005F490	1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022D00	1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035520	1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019D20	1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030530	1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023530	1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031540	1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033540	1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014007BD50	1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140078570	1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019580	1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400205A0	1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025DB0	1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140071DC0	1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000C5C0	1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002DDE0	1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031DF0	1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000DDF0	1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001620	1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018630	1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032650	1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064E80	1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016E80	1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007EA0	1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400286B0	1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006EB0	1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400276C0	1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FEC0	1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EED0	1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B6E0	1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053F20	1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022730	1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029780	1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018F80	1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003EFB0	1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400067B0	1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400667D0	1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060FE0	1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A82EA4	24_2_00007FF785A82EA4
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAE688	24_2_00007FF785AAE688
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB8E00	24_2_00007FF785AB8E00
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785ABA908	24_2_00007FF785ABA908
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A8D87C	24_2_00007FF785A8D87C
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A91780	24_2_00007FF785A91780
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB7ACC	24_2_00007FF785AB7ACC
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB9B14	24_2_00007FF785AB9B14
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB8A40	24_2_00007FF785AB8A40
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785ABB1C0	24_2_00007FF785ABB1C0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAE12C	24_2_00007FF785AAE12C
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB1978	24_2_00007FF785AB1978
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB4CD0	24_2_00007FF785AB4CD0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A9FCF0	24_2_00007FF785A9FCF0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAFC6C	24_2_00007FF785AAFC6C

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046C90 NtClose,	1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0 NtQuerySystemInformation,	1_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA9590 GetWindowThreadProcessId,CloseHandle,OpenProcess,QueryFullProcessImageNameW,NtQueryInformationProcess,CloseHandle,	24_2_00007FF785AA9590

Source: DmNotificationBroker.exe.5.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: BitLockerWizardElev.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BitLockerWizardElev.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BitLockerWizardElev.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: FVEWIZ.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: TAPI32.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: DUI70.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: WINSTA.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: SYSDM.CPL.5.dr	Static PE information: Number of sections : 48 > 10
Source: WINMM.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: VERSION.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: A1ogRC4R34.dll	Static PE information: Number of sections : 47 > 10
Source: dpx.dll.5.dr	Static PE information: Number of sections : 47 > 10

Source: A1ogRC4R34.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FVEWIZ.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dpx.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TAPI32.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: A1ogRC4R34.dll	Virustotal: Detection: 62%
Source: A1ogRC4R34.dll	Metadefender: Detection: 57%
Source: A1ogRC4R34.dll	ReversingLabs: Detection: 75%

Source: A1ogRC4R34.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fID\rdpinit.exe C:\Users\user\AppData\Local\fID\rdpinit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fID\rdpinit.exe C:\Users\user\AppData\Local\fID\rdpinit.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDLL@38/17@0/0

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A91D80 CoCreateInstance,CoSetProxyBlanket,

24_2_00007FF785A91D80

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA

Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0ad3bd68-c5ec-a10f-ef97-5ace4ed7d359}
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{f429f929-471a-28a5-5cf5-8c81149c5888}

Source: rdpinit.exe

String found in binary or memory: Re-Start RdpShell failed

Source: A1ogRC4R34.dll

Static PE information: More than 166 > 100 exports found

Source: A1ogRC4R34.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: A1ogRC4R34.dll

Static file information: File size 2166784 > 1048576

Source: A1ogRC4R34.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140056A4D push rdi; ret		1_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A94162 push rcx; ret		24_2_00007FF785A94163

Source: A1ogRC4R34.dll	Static PE information: section name: .qkm
Source: A1ogRC4R34.dll	Static PE information: section name: .cvjb
Source: A1ogRC4R34.dll	Static PE information: section name: .tlmkv
Source: A1ogRC4R34.dll	Static PE information: section name: .wucsxe
Source: A1ogRC4R34.dll	Static PE information: section name: .fltwtj
Source: A1ogRC4R34.dll	Static PE information: section name: .sfplio
Source: A1ogRC4R34.dll	Static PE information: section name: .rpg
Source: A1ogRC4R34.dll	Static PE information: section name: .bewzc
Source: A1ogRC4R34.dll	Static PE information: section name: .vksvaw
Source: A1ogRC4R34.dll	Static PE information: section name: .wmhg
Source: A1ogRC4R34.dll	Static PE information: section name: .kswemc
Source: A1ogRC4R34.dll	Static PE information: section name: .kaxfk
Source: A1ogRC4R34.dll	Static PE information: section name: .pjf
Source: A1ogRC4R34.dll	Static PE information: section name: .retjqj
Source: A1ogRC4R34.dll	Static PE information: section name: .mizn
Source: A1ogRC4R34.dll	Static PE information: section name: .rsrub
Source: A1ogRC4R34.dll	Static PE information: section name: .fhgxfk
Source: A1ogRC4R34.dll	Static PE information: section name: .wqpbrq
Source: A1ogRC4R34.dll	Static PE information: section name: .xlhbgj
Source: A1ogRC4R34.dll	Static PE information: section name: .rzgl
Source: A1ogRC4R34.dll	Static PE information: section name: .yic
Source: A1ogRC4R34.dll	Static PE information: section name: .zfmbo
Source: A1ogRC4R34.dll	Static PE information: section name: .kurwl
Source: A1ogRC4R34.dll	Static PE information: section name: .crlsf
Source: A1ogRC4R34.dll	Static PE information: section name: .wrn
Source: A1ogRC4R34.dll	Static PE information: section name: .blcv
Source: A1ogRC4R34.dll	Static PE information: section name: .roblb
Source: A1ogRC4R34.dll	Static PE information: section name: .yblxa
Source: A1ogRC4R34.dll	Static PE information: section name: .tfy
Source: A1ogRC4R34.dll	Static PE information: section name: .wsmv
Source: A1ogRC4R34.dll	Static PE information: section name: .hrs
Source: A1ogRC4R34.dll	Static PE information: section name: .ppapg
Source: A1ogRC4R34.dll	Static PE information: section name: .udm
Source: A1ogRC4R34.dll	Static PE information: section name: .fxc
Source: A1ogRC4R34.dll	Static PE information: section name: .fvxxk
Source: A1ogRC4R34.dll	Static PE information: section name: .zmj
Source: A1ogRC4R34.dll	Static PE information: section name: .zvz
Source: A1ogRC4R34.dll	Static PE information: section name: .xyiz
Source: A1ogRC4R34.dll	Static PE information: section name: .gbzxp
Source: A1ogRC4R34.dll	Static PE information: section name: .kkivgv
Source: A1ogRC4R34.dll	Static PE information: section name: .evwibb
Source: rdpinit.exe.5.dr	Static PE information: section name: .imrsiv
Source: DmNotificationBroker.exe.5.dr	Static PE information: section name: .imrsiv
Source: WINSTA.dll.5.dr	Static PE information: section name: .qkm
Source: WINSTA.dll.5.dr	Static PE information: section name: .cvjb
Source: WINSTA.dll.5.dr	Static PE information: section name: .tlmkv
Source: WINSTA.dll.5.dr	Static PE information: section name: .wucsxe
Source: WINSTA.dll.5.dr	Static PE information: section name: .fltwtj
Source: WINSTA.dll.5.dr	Static PE information: section name: .sfplio
Source: WINSTA.dll.5.dr	Static PE information: section name: .rpg
Source: WINSTA.dll.5.dr	Static PE information: section name: .bewzc
Source: WINSTA.dll.5.dr	Static PE information: section name: .vksvaw
Source: WINSTA.dll.5.dr	Static PE information: section name: .wmhg
Source: WINSTA.dll.5.dr	Static PE information: section name: .kswemc
Source: WINSTA.dll.5.dr	Static PE information: section name: .kaxfk
Source: WINSTA.dll.5.dr	Static PE information: section name: .pjf
Source: WINSTA.dll.5.dr	Static PE information: section name: .retjqj
Source: WINSTA.dll.5.dr	Static PE information: section name: .mizn
Source: WINSTA.dll.5.dr	Static PE information: section name: .rsrub
Source: WINSTA.dll.5.dr	Static PE information: section name: .fhgxfk
Source: WINSTA.dll.5.dr	Static PE information: section name: .wqpbrq
Source: WINSTA.dll.5.dr	Static PE information: section name: .xlhbgj
Source: WINSTA.dll.5.dr	Static PE information: section name: .rzgl
Source: WINSTA.dll.5.dr	Static PE information: section name: .yic
Source: WINSTA.dll.5.dr	Static PE information: section name: .zfmbo
Source: WINSTA.dll.5.dr	Static PE information: section name: .kurwl
Source: WINSTA.dll.5.dr	Static PE information: section name: .crlsf
Source: WINSTA.dll.5.dr	Static PE information: section name: .wrn
Source: WINSTA.dll.5.dr	Static PE information: section name: .blcv
Source: WINSTA.dll.5.dr	Static PE information: section name: .roblb
Source: WINSTA.dll.5.dr	Static PE information: section name: .yblxa
Source: WINSTA.dll.5.dr	Static PE information: section name: .tfy
Source: WINSTA.dll.5.dr	Static PE information: section name: .wsmv
Source: WINSTA.dll.5.dr	Static PE information: section name: .hrs
Source: WINSTA.dll.5.dr	Static PE information: section name: .ppapg
Source: WINSTA.dll.5.dr	Static PE information: section name: .udm
Source: WINSTA.dll.5.dr	Static PE information: section name: .fxc
Source: WINSTA.dll.5.dr	Static PE information: section name: .fvxxk
Source: WINSTA.dll.5.dr	Static PE information: section name: .zmj
Source: WINSTA.dll.5.dr	Static PE information: section name: .zvz
Source: WINSTA.dll.5.dr	Static PE information: section name: .xyiz
Source: WINSTA.dll.5.dr	Static PE information: section name: .gbzxp
Source: WINSTA.dll.5.dr	Static PE information: section name: .kkivgv
Source: WINSTA.dll.5.dr	Static PE information: section name: .evwibb
Source: WINSTA.dll.5.dr	Static PE information: section name: .rqefr
Source: DUI70.dll.5.dr	Static PE information: section name: .qkm
Source: DUI70.dll.5.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.5.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.5.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.5.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.5.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.5.dr	Static PE information: section name: .rpg
Source: DUI70.dll.5.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.5.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.5.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.5.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.5.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.5.dr	Static PE information: section name: .pjf
Source: DUI70.dll.5.dr	Static PE information: section name: .retjqj
Source: DUI70.dll.5.dr	Static PE information: section name: .mizn
Source: DUI70.dll.5.dr	Static PE information: section name: .rsrub
Source: DUI70.dll.5.dr	Static PE information: section name: .fhgxfk
Source: DUI70.dll.5.dr	Static PE information: section name: .wqpbrq
Source: DUI70.dll.5.dr	Static PE information: section name: .xlhbgj
Source: DUI70.dll.5.dr	Static PE information: section name: .rzgl
Source: DUI70.dll.5.dr	Static PE information: section name: .yic
Source: DUI70.dll.5.dr	Static PE information: section name: .zfmbo
Source: DUI70.dll.5.dr	Static PE information: section name: .kurwl
Source: DUI70.dll.5.dr	Static PE information: section name: .crlsf
Source: DUI70.dll.5.dr	Static PE information: section name: .wrn
Source: DUI70.dll.5.dr	Static PE information: section name: .blcv
Source: DUI70.dll.5.dr	Static PE information: section name: .roblb
Source: DUI70.dll.5.dr	Static PE information: section name: .yblxa
Source: DUI70.dll.5.dr	Static PE information: section name: .tfy
Source: DUI70.dll.5.dr	Static PE information: section name: .wsmv
Source: DUI70.dll.5.dr	Static PE information: section name: .hrs
Source: DUI70.dll.5.dr	Static PE information: section name: .ppapg
Source: DUI70.dll.5.dr	Static PE information: section name: .udm
Source: DUI70.dll.5.dr	Static PE information: section name: .fxc
Source: DUI70.dll.5.dr	Static PE information: section name: .fvxxk
Source: DUI70.dll.5.dr	Static PE information: section name: .zmj
Source: DUI70.dll.5.dr	Static PE information: section name: .zvz
Source: DUI70.dll.5.dr	Static PE information: section name: .xyiz
Source: DUI70.dll.5.dr	Static PE information: section name: .gbzxp
Source: DUI70.dll.5.dr	Static PE information: section name: .kkivgv
Source: DUI70.dll.5.dr	Static PE information: section name: .evwibb
Source: DUI70.dll.5.dr	Static PE information: section name: .kcklp
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .qkm
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .cvjb
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .tlmkv
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wucsxe
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .fltwtj
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .sfplio
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .rpg
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .bewzc
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .vksvaw
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wmhg
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .kswemc
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .kaxfk
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .pjf
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .retjqj
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .mizn
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .rsrub
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .fhgxfk
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wqpbrq
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .xlhbgj
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .rzgl
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .yic
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .zfmbo
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .kurwl
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .crlsf
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wrn
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .blcv
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .roblb
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .yblxa
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .tfy
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wsmv
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .hrs
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .ppapg
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .udm
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .fxc
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .fvxxk
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .zmj
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .zvz
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .xyiz
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .gbzxp
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .kkivgv
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .evwibb
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .nzduo
Source: dpx.dll.5.dr	Static PE information: section name: .qkm
Source: dpx.dll.5.dr	Static PE information: section name: .cvjb
Source: dpx.dll.5.dr	Static PE information: section name: .tlmkv
Source: dpx.dll.5.dr	Static PE information: section name: .wucsxe
Source: dpx.dll.5.dr	Static PE information: section name: .fltwtj
Source: dpx.dll.5.dr	Static PE information: section name: .sfplio
Source: dpx.dll.5.dr	Static PE information: section name: .rpg
Source: dpx.dll.5.dr	Static PE information: section name: .bewzc
Source: dpx.dll.5.dr	Static PE information: section name: .vksvaw
Source: dpx.dll.5.dr	Static PE information: section name: .wmhg
Source: dpx.dll.5.dr	Static PE information: section name: .kswemc
Source: dpx.dll.5.dr	Static PE information: section name: .kaxfk
Source: dpx.dll.5.dr	Static PE information: section name: .pjf
Source: dpx.dll.5.dr	Static PE information: section name: .retjqj
Source: dpx.dll.5.dr	Static PE information: section name: .mizn
Source: dpx.dll.5.dr	Static PE information: section name: .rsrub
Source: dpx.dll.5.dr	Static PE information: section name: .fhgxfk
Source: dpx.dll.5.dr	Static PE information: section name: .wqpbrq
Source: dpx.dll.5.dr	Static PE information: section name: .xlhbgj
Source: dpx.dll.5.dr	Static PE information: section name: .rzgl
Source: dpx.dll.5.dr	Static PE information: section name: .yic
Source: dpx.dll.5.dr	Static PE information: section name: .zfmbo
Source: dpx.dll.5.dr	Static PE information: section name: .kurwl
Source: dpx.dll.5.dr	Static PE information: section name: .crlsf
Source: dpx.dll.5.dr	Static PE information: section name: .wrn
Source: dpx.dll.5.dr	Static PE information: section name: .blcv
Source: dpx.dll.5.dr	Static PE information: section name: .roblb
Source: dpx.dll.5.dr	Static PE information: section name: .yblxa
Source: dpx.dll.5.dr	Static PE information: section name: .tfy
Source: dpx.dll.5.dr	Static PE information: section name: .wsmv
Source: dpx.dll.5.dr	Static PE information: section name: .hrs
Source: dpx.dll.5.dr	Static PE information: section name: .ppapg
Source: dpx.dll.5.dr	Static PE information: section name: .udm
Source: dpx.dll.5.dr	Static PE information: section name: .fxc
Source: dpx.dll.5.dr	Static PE information: section name: .fvxxk
Source: dpx.dll.5.dr	Static PE information: section name: .zmj
Source: dpx.dll.5.dr	Static PE information: section name: .zvz
Source: dpx.dll.5.dr	Static PE information: section name: .xyiz
Source: dpx.dll.5.dr	Static PE information: section name: .gbzxp
Source: dpx.dll.5.dr	Static PE information: section name: .kkivgv
Source: dpx.dll.5.dr	Static PE information: section name: .evwibb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .qkm
Source: SYSDM.CPL.5.dr	Static PE information: section name: .cvjb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .tlmkv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wucsxe
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fltwtj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .sfplio
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rpg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .bewzc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .vksvaw
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wmhg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kswemc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kaxfk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .pjf
Source: SYSDM.CPL.5.dr	Static PE information: section name: .retjqj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .mizn
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rsrub
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fhgxfk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wqpbrq
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xlhbgj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rzgl
Source: SYSDM.CPL.5.dr	Static PE information: section name: .yic
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zfmbo
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kurwl
Source: SYSDM.CPL.5.dr	Static PE information: section name: .crlsf
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wrn
Source: SYSDM.CPL.5.dr	Static PE information: section name: .blcv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .roblb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .yblxa
Source: SYSDM.CPL.5.dr	Static PE information: section name: .tfy
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wsmv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .hrs
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ppapg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .udm
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fxc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fvxxk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zmj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zvz
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xyiz
Source: SYSDM.CPL.5.dr	Static PE information: section name: .gbzxp
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kkivgv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .evwibb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ffktuw
Source: VERSION.dll.5.dr	Static PE information: section name: .qkm
Source: VERSION.dll.5.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.5.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.5.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.5.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.5.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.5.dr	Static PE information: section name: .rpg
Source: VERSION.dll.5.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.5.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.5.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.5.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.5.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.5.dr	Static PE information: section name: .pjf
Source: VERSION.dll.5.dr	Static PE information: section name: .retjqj
Source: VERSION.dll.5.dr	Static PE information: section name: .mizn
Source: VERSION.dll.5.dr	Static PE information: section name: .rsrub
Source: VERSION.dll.5.dr	Static PE information: section name: .fhgxfk
Source: VERSION.dll.5.dr	Static PE information: section name: .wqpbrq
Source: VERSION.dll.5.dr	Static PE information: section name: .xlhbgj
Source: VERSION.dll.5.dr	Static PE information: section name: .rzgl
Source: VERSION.dll.5.dr	Static PE information: section name: .yic
Source: VERSION.dll.5.dr	Static PE information: section name: .zfmbo
Source: VERSION.dll.5.dr	Static PE information: section name: .kurwl
Source: VERSION.dll.5.dr	Static PE information: section name: .crlsf
Source: VERSION.dll.5.dr	Static PE information: section name: .wrn
Source: VERSION.dll.5.dr	Static PE information: section name: .blcv
Source: VERSION.dll.5.dr	Static PE information: section name: .roblb
Source: VERSION.dll.5.dr	Static PE information: section name: .yblxa
Source: VERSION.dll.5.dr	Static PE information: section name: .tfy
Source: VERSION.dll.5.dr	Static PE information: section name: .wsmv
Source: VERSION.dll.5.dr	Static PE information: section name: .hrs
Source: VERSION.dll.5.dr	Static PE information: section name: .ppapg
Source: VERSION.dll.5.dr	Static PE information: section name: .udm
Source: VERSION.dll.5.dr	Static PE information: section name: .fxc
Source: VERSION.dll.5.dr	Static PE information: section name: .fvxxk
Source: VERSION.dll.5.dr	Static PE information: section name: .zmj
Source: VERSION.dll.5.dr	Static PE information: section name: .zvz
Source: VERSION.dll.5.dr	Static PE information: section name: .xyiz
Source: VERSION.dll.5.dr	Static PE information: section name: .gbzxp
Source: VERSION.dll.5.dr	Static PE information: section name: .kkivgv
Source: VERSION.dll.5.dr	Static PE information: section name: .evwibb
Source: VERSION.dll.5.dr	Static PE information: section name: .swia
Source: TAPI32.dll.5.dr	Static PE information: section name: .qkm
Source: TAPI32.dll.5.dr	Static PE information: section name: .cvjb
Source: TAPI32.dll.5.dr	Static PE information: section name: .tlmkv
Source: TAPI32.dll.5.dr	Static PE information: section name: .wucsxe
Source: TAPI32.dll.5.dr	Static PE information: section name: .fltwtj
Source: TAPI32.dll.5.dr	Static PE information: section name: .sfplio
Source: TAPI32.dll.5.dr	Static PE information: section name: .rpg
Source: TAPI32.dll.5.dr	Static PE information: section name: .bewzc
Source: TAPI32.dll.5.dr	Static PE information: section name: .vksvaw
Source: TAPI32.dll.5.dr	Static PE information: section name: .wmhg
Source: TAPI32.dll.5.dr	Static PE information: section name: .kswemc
Source: TAPI32.dll.5.dr	Static PE information: section name: .kaxfk
Source: TAPI32.dll.5.dr	Static PE information: section name: .pjf
Source: TAPI32.dll.5.dr	Static PE information: section name: .retjqj
Source: TAPI32.dll.5.dr	Static PE information: section name: .mizn
Source: TAPI32.dll.5.dr	Static PE information: section name: .rsrub
Source: TAPI32.dll.5.dr	Static PE information: section name: .fhgxfk
Source: TAPI32.dll.5.dr	Static PE information: section name: .wqpbrq
Source: TAPI32.dll.5.dr	Static PE information: section name: .xlhbgj
Source: TAPI32.dll.5.dr	Static PE information: section name: .rzgl
Source: TAPI32.dll.5.dr	Static PE information: section name: .yic
Source: TAPI32.dll.5.dr	Static PE information: section name: .zfmbo
Source: TAPI32.dll.5.dr	Static PE information: section name: .kurwl
Source: TAPI32.dll.5.dr	Static PE information: section name: .crlsf
Source: TAPI32.dll.5.dr	Static PE information: section name: .wrn
Source: TAPI32.dll.5.dr	Static PE information: section name: .blcv
Source: TAPI32.dll.5.dr	Static PE information: section name: .roblb
Source: TAPI32.dll.5.dr	Static PE information: section name: .yblxa
Source: TAPI32.dll.5.dr	Static PE information: section name: .tfy
Source: TAPI32.dll.5.dr	Static PE information: section name: .wsmv
Source: TAPI32.dll.5.dr	Static PE information: section name: .hrs
Source: TAPI32.dll.5.dr	Static PE information: section name: .ppapg
Source: TAPI32.dll.5.dr	Static PE information: section name: .udm
Source: TAPI32.dll.5.dr	Static PE information: section name: .fxc
Source: TAPI32.dll.5.dr	Static PE information: section name: .fvxxk
Source: TAPI32.dll.5.dr	Static PE information: section name: .zmj
Source: TAPI32.dll.5.dr	Static PE information: section name: .zvz
Source: TAPI32.dll.5.dr	Static PE information: section name: .xyiz
Source: TAPI32.dll.5.dr	Static PE information: section name: .gbzxp
Source: TAPI32.dll.5.dr	Static PE information: section name: .kkivgv
Source: TAPI32.dll.5.dr	Static PE information: section name: .evwibb
Source: TAPI32.dll.5.dr	Static PE information: section name: .apbeye
Source: WINMM.dll.5.dr	Static PE information: section name: .qkm
Source: WINMM.dll.5.dr	Static PE information: section name: .cvjb
Source: WINMM.dll.5.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll.5.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll.5.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll.5.dr	Static PE information: section name: .sfplio
Source: WINMM.dll.5.dr	Static PE information: section name: .rpg
Source: WINMM.dll.5.dr	Static PE information: section name: .bewzc
Source: WINMM.dll.5.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll.5.dr	Static PE information: section name: .wmhg
Source: WINMM.dll.5.dr	Static PE information: section name: .kswemc
Source: WINMM.dll.5.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll.5.dr	Static PE information: section name: .pjf
Source: WINMM.dll.5.dr	Static PE information: section name: .retjqj
Source: WINMM.dll.5.dr	Static PE information: section name: .mizn
Source: WINMM.dll.5.dr	Static PE information: section name: .rsrub
Source: WINMM.dll.5.dr	Static PE information: section name: .fhgxfk
Source: WINMM.dll.5.dr	Static PE information: section name: .wqpbrq
Source: WINMM.dll.5.dr	Static PE information: section name: .xlhbgj
Source: WINMM.dll.5.dr	Static PE information: section name: .rzgl
Source: WINMM.dll.5.dr	Static PE information: section name: .yic
Source: WINMM.dll.5.dr	Static PE information: section name: .zfmbo
Source: WINMM.dll.5.dr	Static PE information: section name: .kurwl
Source: WINMM.dll.5.dr	Static PE information: section name: .crlsf
Source: WINMM.dll.5.dr	Static PE information: section name: .wrn
Source: WINMM.dll.5.dr	Static PE information: section name: .blcv
Source: WINMM.dll.5.dr	Static PE information: section name: .roblb
Source: WINMM.dll.5.dr	Static PE information: section name: .yblxa
Source: WINMM.dll.5.dr	Static PE information: section name: .tfy
Source: WINMM.dll.5.dr	Static PE information: section name: .wsmv
Source: WINMM.dll.5.dr	Static PE information: section name: .hrs
Source: WINMM.dll.5.dr	Static PE information: section name: .ppapg
Source: WINMM.dll.5.dr	Static PE information: section name: .udm
Source: WINMM.dll.5.dr	Static PE information: section name: .fxc
Source: WINMM.dll.5.dr	Static PE information: section name: .fvxxk
Source: WINMM.dll.5.dr	Static PE information: section name: .zmj
Source: WINMM.dll.5.dr	Static PE information: section name: .zvz
Source: WINMM.dll.5.dr	Static PE information: section name: .xyiz
Source: WINMM.dll.5.dr	Static PE information: section name: .gbzxp
Source: WINMM.dll.5.dr	Static PE information: section name: .kkivgv
Source: WINMM.dll.5.dr	Static PE information: section name: .evwibb
Source: WINMM.dll.5.dr	Static PE information: section name: .aao

Source: FVEWIZ.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x219e6e
Source: TAPI32.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21d462
Source: DUI70.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x25ec74
Source: WINSTA.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x218cc7
Source: SYSDM.CPL.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21750b
Source: WINMM.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2211c1
Source: VERSION.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21b310
Source: A1ogRC4R34.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x21d47c
Source: dpx.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21e2ea

Source: rdpinit.exe.5.dr

Static PE information: 0xC894E371 [Fri Aug 21 01:59:13 2076 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fID\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kyOIt4HX\tcmsetup.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fID\rdpinit.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VcAfkDB\unregmp2.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uBsjD\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kyOIt4HX\tcmsetup.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A82EA4 rdtsc

24_2_00007FF785A82EA4

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005C340 GetSystemInfo,

1_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005D290 FindFirstFileExW,

1_2_000000014005D290

Source: explorer.exe, 00000005.00000000.278790068.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.252062582.000000000113D000.00000004.00000020.sdmp	Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.236866941.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.235527628.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000005.00000000.284113222.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.279536555.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.284113222.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000005.00000000.252062582.000000000113D000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir99

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A82EA4 VerSetConditionMask,VerifyVersionInfoW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentProcess,GetProcessMitigationPolicy,LocalAlloc,~SyncLockT,FreeLibrary,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FreeLibrary,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetP

24_2_00007FF785A82EA4

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A82EA4 rdtsc

24_2_00007FF785A82EA4

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,

1_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB72B4 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00007FF785AB72B4
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAEA28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF785AAEA28
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAF1E0 SetUnhandledExceptionFilter,	24_2_00007FF785AAF1E0
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Code function: 31_2_00007FF69E092780 SetUnhandledExceptionFilter,	31_2_00007FF69E092780
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Code function: 31_2_00007FF69E092AB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF69E092AB4

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: WINSTA.dll.5.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1

Jump to behavior

Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp, rdpinit.exe	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.277225784.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Queries volume information: unknown VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785AB060C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

24_2_00007FF785AB060C

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785AAE34B GetStartupInfoW,GetVersionExW,_FF_MSGBANNER,_FF_MSGBANNER,GetCommandLineA,

24_2_00007FF785AAE34B

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA3630 SetPropW,RpcBindingFree,	24_2_00007FF785AA3630
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA1DF0 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,	24_2_00007FF785AA1DF0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A8D87C RegisterTraceGuidsW,HeapSetInformation,GetLastError,CreateMutexW,GetLastError,GetLastError,CreateMutexW,GetLastError,GetLastError,CoInitializeEx,GetModuleHandleW,SetProcessShutdownParameters,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetSystemMetrics,RpcMgmtWaitServerListen,WTSLogoffSession,CoUninitialize,UnregisterTraceGuids,CloseHandle,	24_2_00007FF785A8D87C
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA1FE0 GetCurrentProcess,OpenProcessToken,GetLastError,RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcServerInqBindingHandle,RpcServerInqCallAttributesW,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,GetSidSubAuthority,GetSidSubAuthority,CloseHandle,CloseHandle,LocalFree,LocalFree,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW,	24_2_00007FF785AA1FE0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA3FE0 RpcBindingFree,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExW,RpcBindingFree,RpcStringFreeW,	24_2_00007FF785AA3FE0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA3F90 RpcBindingFree,	24_2_00007FF785AA3F90
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Code function: 31_2_00007FF69E0921B8 RpcBindingCreateW,RpcBindingBind,NdrClientCall3,RpcBindingFree,	31_2_00007FF69E0921B8
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Code function: 31_2_00007FF69E0922F0 RpcBindingFree,	31_2_00007FF69E0922F0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Exploitation for Privilege Escalation1	Masquerading11	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Process Injection312	Process Injection312	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	System Information Discovery25	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
A1ogRC4R34.dll	62%	Virustotal		Browse
A1ogRC4R34.dll	57%	Metadefender		Browse
A1ogRC4R34.dll	76%	ReversingLabs	Win64.Infostealer.Dridex
A1ogRC4R34.dll	100%	Avira	TR/Crypt.ZPACK.Gen
A1ogRC4R34.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\fID\WINSTA.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\uBsjD\DUI70.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\fID\WINSTA.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\uBsjD\DUI70.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
31.2.DmNotificationBroker.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
24.2.rdpinit.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll64.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492806
Start date:	29.09.2021
Start time:	01:51:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	A1ogRC4R34 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDLL@38/17@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.6% (good quality ratio 6.9%) Quality average: 72.7% Quality standard deviation: 40.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.199.120.182, 204.79.197.200, 13.107.21.200, 23.54.113.45, 20.50.102.62, 20.199.120.151, 23.54.113.53, 20.199.120.85, 23.54.113.104, 23.0.174.200, 23.0.174.185, 23.10.249.26, 23.10.249.43, 20.54.110.249, 40.112.88.60 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2170880
Entropy (8bit):	3.4921794252523632
Encrypted:	false
SSDEEP:	12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	0BDAF2F3724797EAF4254B3B131700E6
SHA1:	4E9489103C1BE75098B7D9382F436D39BB65D828
SHA-256:	866FBAEAE3267C7FA20C1F9C8A0D0CFC1699B6D98793FBDE193BC28936F7DAC8
SHA-512:	68100D08A418F66E25BA08668E43AC77D151190CB5E0028B86E287763631B466E8FC86F0376C22ABD5E14A57B1014C90B4CFE8A0EB3B0836C0C2EEDE0A7C766D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@............................. !.....@lx}..b...........................................!......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	7.065147438048501
Encrypted:	false
SSDEEP:	1536:UfuZktREC/rMcgEPJV+G57ThjEC0kzJP+V5Jl:VkzECTMpuDhjRVJG3
MD5:	82ED6250B9AA030DDC13DC075D2C16E3
SHA1:	BC2BDCF474A7315232136B29291166E789D1F280
SHA-256:	F321BB53BBC41C2CBFFABC56837F9FA723AA0C6ACB68A0C200CBC7427202DC9E
SHA-512:	94D34293F070F6505D6922977AC1EF8E08DB0D92DCA8823BCF7376FD81B3AA80D2BD0FEF21FC74BCE08EEBF82DF09114A71792945DE4E3BB1FD0929538DF489B
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..[a..[a..[h..[o..[..Z`..[..Zc..[..Zp..[a..[C..[..Zd..[..Z`..[..q[`..[..Z`..[Richa..[........................PE..d.....o..........."..........>.................@....................................AS....`.......... .......................................&.......P..0'...@.................. ...."..T............................ ...............!..8............................text............................... ..`.rdata..N.... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...0'...P...(..................@..@.reloc.. ............F..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2166784
Entropy (8bit):	3.4966791942802127
Encrypted:	false
SSDEEP:	12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	623DB87A3F248EA64BE5D903D21E9FB6
SHA1:	F816BA14F36DF9361B275670075534F8CEBB0A02
SHA-256:	2FECFF3A874320ACB1D2B749243CAF4714BA9507435EB066CD719435AED7E9D7
SHA-512:	5AF3F294602CA4366663183A77F8FEA2A3A871228C911A0CB8D3772442F74FEAC3EF1989C9AEBFEC2C3D4C50AFC321EDA05A3D321BCE8841D2A06EB497312B41
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d./..DN^.........." ................p..........@..............................!.....@lx}..b.........................................,o.......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	308736
Entropy (8bit):	6.55894801361276
Encrypted:	false
SSDEEP:	6144:TozDd3UafMCFoMVclxM8cVM49UApxyN90vE:ToXd33MCFoqSxM5MmUAy90
MD5:	04CE745559916B99248F266BBF5F9ED9
SHA1:	76FA00103A89C735573D1D8946D8787A839475B6
SHA-256:	1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195
SHA-512:	B4D2EF6B90164E17258F53BCAF954076D02EDB7F496F4F79B2CF7848B90614F6160C8EB008BA5904521DD8B1449840B2D7EE368860E58E01FBEAB9873B654B3A
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..-..~..~..~v./~}.~....}.~....i.~....{.~....d.~..~w.~....k.~..C~~.~....~.~Rich..~................PE..d.....TS.........."......`...X.......f.........@....................................g.....`.......... .......................................I...........T...p..................`....?..T...................Pq..(...Pp..............xq..@............................text...3^.......`.................. ..`.rdata..^....p.......d..............@..@.data........`.......T..............@....pdata.......p.......X..............@..@.rsrc....T.......V...^..............@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	222208
Entropy (8bit):	6.618425906220987
Encrypted:	false
SSDEEP:	3072:dklO/b97taQPr5pT8as3lJwvkAarSvDZpFB+2xmh0QSoKKBlKxyAZEHA:Oo/b1txPlh8I+rUts2xmhfGKraEH
MD5:	76086DD04B6760277A2B897345A0B457
SHA1:	DC65093DB601FE7AA2F4C0C400D18F43DA92DCFA
SHA-256:	BF492302281E3CD4F023FB54E101D8C3BD00FFEAFF75B5D7FE0C1CA43F291A81
SHA-512:	6528C86BA0272274A907F8559DFD79C55D1A6BAF3A4545EF3F6CDC4C790CC9FBDB7A3A8A2E72D0ED39651975DF5967608111448D1351BDC659E8F0F5E8C72442
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.".>.q.>.q.>.q.F~q.>.q.Z.p.>.q.Z.p.>.q.Z.p.>.q.Z.p.>.q.>.q/>.q.Z.p.>.q.Z.q.>.q.Z.p.>.qRich.>.q........PE..d... ..8.........."......J... ...... O.........@.....................................9....`.......... ..........................................................x.......................T............................a...............b...............................text....H.......J.................. ..`.rdata...]...`...^...N..............@..@.data...H...........................@....pdata..x...........................@..@.rsrc...............................@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2174976
Entropy (8bit):	3.501635076472576
Encrypted:	false
SSDEEP:	12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	2AB1771EACAAB67C8DBCC40CC742146C
SHA1:	630753BE4D7354238AD511DEF9BEF46504102D67
SHA-256:	AEEEF877DA29CDBC34426C62C3C264346FE8570AA553056C8C6BB4D3758EAC1F
SHA-512:	A139373330E6607A61709BD5D9D1ADFCEEF8F6DEBE62ECE092C67267BA1171C2B40360BDAE286C7FC66C7027C6389F5C06C93CDA95389CE8A3DB54150F07AC8E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@.............................0!.....@lx}..b...........................................!.h....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2170880
Entropy (8bit):	3.492654327259235
Encrypted:	false
SSDEEP:	12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	0F593199E2816C0C8B8ED747CE1BEB85
SHA1:	423FD306E81B4F2D7FEF4D9F4F163BF5EE93EE7C
SHA-256:	B69C3AA0F262596A156376EA2931FC2324451A064F751DCE655F280650B046E5
SHA-512:	EC2234B909D85C89EE40C548CFC926D036A27B265F9793455AB6F2363AC66F81838F1D9288ECDB1BDEDA7D0C70A54EA8319BF6D0852C98FD24978A288BCABD7C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@............................. !.....@lx}..b...........................................!.+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\VcAfkDB\unregmp2.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254976
Entropy (8bit):	5.093220071075157
Encrypted:	false
SSDEEP:	3072:1t+/6BNqqNRhdutq4jCoNhdxtYEbvyIwYKO8/+9vAwk4OdamabJ9:3Bhhd+7QKb
MD5:	9B517303C58CA8A450B97B0D71594CBB
SHA1:	BE75E3F10E17400DA7C0FAF70BF16EE7D0AA93A8
SHA-256:	2A38BFC3813D7E845F455B31DF099C8A6E657EF4556BFF681315F86A883A3314
SHA-512:	6A47EC7800E1F1FCDBB44A018147CE4A87FF0F5B94597B182AAE4E8545D9B18FAAAA07379BA1086D8F7785F0F66C36E4B6C68FCF49130333B8A9DC3A9E9E08E8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|.R.............y.......y.......y.......y..........w....y.......yf......y......Rich....................PE..d....Q&..........."..........^................@.............................0.......A....`.......... ..........................................................0.......................T....................V..(....U...............V...............................text...w........................... ..`.rdata..4...........................@..@.data....8.......&..................@....pdata..0...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\fID\WINSTA.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2174976
Entropy (8bit):	3.5091748741070106
Encrypted:	false
SSDEEP:	12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	6F22D93755FC031456BE2557F243015B
SHA1:	FC3E0F51E986057956F65B48296CB1AA197E8116
SHA-256:	EA2649CC270C4676E22323536EF5CFF6BA657383CFDDF1EF700E6CCE00ED9E11
SHA-512:	70CE3B19AA4485D82C7FB8E910CC789F7D004592AA8FD21DA1D25B600A2E699E00CB6577731CE81F226EFE451FB971C277055DF9FE667675B954E8F1AE0EB662
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@.............................0!.....@lx}..b...........................................!.m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\fID\rdpinit.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	327168
Entropy (8bit):	6.414070673036673
Encrypted:	false
SSDEEP:	6144:fOzsB7eGjsO+VxyQ/qY4gCJkxkVPXqdzVxNwK3S3drxhUS4eMZfCZc/o:fOzsB7eGjb+VxynJkxkZ6dzV63drxhlF
MD5:	EF7C9CF6EA5B8B9C5C8320990714C35D
SHA1:	9CBD44DE4761F9383F2E0352035D52B86ECE80C2
SHA-256:	0FD9B6C366E042ED83BFC53C5EA1AAF43F13F53D97F220B5571681BB766C33FA
SHA-512:	C2F5E902DF725BC05F03052042767635689A35226CA1C3436ADF4835C57666B3E815FD386B80517734AC3B71F2FB15E48CE2F6739D669B5F68F4A8989713E8FC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.....S...S...S.j.S...S.v.R...S.v.R...S.v.R...S.v.R...S...S...S.v.R...S.vmS...S.v.R...SRich...S................PE..d...q............"..........f...... ..........@.............................p......+................ ..........................................@....@..........d ...........`..x.......T............................................................................text...<........................... ..`.imrsiv..................................rdata..............................@..@.data....:..........................@....pdata..d ......."..................@..@.rsrc........@......................@..@.reloc..x....`......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2174976
Entropy (8bit):	3.512499889839238
Encrypted:	false
SSDEEP:	12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	99671622AFF90CD9D173CA46E372D3AC
SHA1:	B689B8799C7A057958AF0BFAFF233142AC54F761
SHA-256:	578AD60043FB755F8546C8418C9D8FDE64D2C4BA9F4467CE812AA14D702FA855
SHA-512:	021357EAE61F5E372F5675788D0CDFA09A252238F808419E75912B53DC5507D26D6EB1B27B26000A699E53C0E831C6ADBFE66E4BA63577AB0FB129F6A9D44AC2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@.............................0!.....@lx}..b...........................................!.V....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\kyOIt4HX\tcmsetup.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	4.999998588063228
Encrypted:	false
SSDEEP:	192:DIzBdu2Mhf/+G1jQ0pwPYqLmdO0O7RgZiLtzADWO4hxDcUh6UdBndOvfSWG0oW:GMVJjQ0dg0O7yk5ciJcUhLiSWG0oW
MD5:	0DDA495155D552D024593C4B3246C8FA
SHA1:	7501A7AD5DAA41462BEFF9127154BAF261A24A5B
SHA-256:	D3074CBD29678CA612C1F8AA93DE1F5B75108BE8187F0F2A2331BC302AD48CD9
SHA-512:	9159D8AF457591256BA87443E89ECE942DE40B8FF39586116C2026330B8AE9C20F96905547E87D98508951D2B4687069EFD018CC9E4A6C94A6C26D4B587F41B3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............Z...Z...Z..[...Z..[...Z..[...Z..[...Z...Z...Z..[...Z.:Z...Z..[...ZRich...Z................PE..d....E.H.........."..........,....... .........@..........................................`.......... .......................................9..x....p..P....`..D............... ....5..T............................0...............1...............................text............................... ..`.rdata..&....0......................@..@.data... ....P.......0..............@....pdata..D....`.......2..............@..@.rsrc...P....p.......4..............@..@.reloc.. ............>..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101888
Entropy (8bit):	6.95002760620154
Encrypted:	false
SSDEEP:	3072:k8kEZwnVS570M9kdatGCO+xmBc+hMPhPsx:1khVs7nyatGt+SYF
MD5:	3104EA9ECCA9ED71A382CCAAD618CEAE
SHA1:	9277108B7254F0C5BD241C2643902378925A8F9C
SHA-256:	D8CB004D4E8894AB4CA769C3CEC9A37B7FAB336DCDA1E6E9A15975DC64CEF370
SHA-512:	27C84C35461E37557BA27A7D9E9F86A47686DE73DDC74E001777F11EA8D5BE9B17604403875CF20124595010477F6F2ADDD797B9ACED79C514AEF2D2F1A019B7
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.`M.h3M.h3M.h3"Jm2O.h3"Jk2O.h3"Jl2_.h3"Ji2F.h3M.i3}.h3"Ja2L.h3"J.3L.h3"Jj2L.h3RichM.h3........................PE..d....C............"............................@....................................0.....`.......... ......................................D,..x....`...c...P.................. ....(..T............................ ...............!...............................text............................... ..`.rdata....... ......................@..@.data........@.......$..............@....pdata.......P.......&..............@..@.rsrc....c...`...d...(..............@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2170880
Entropy (8bit):	3.4988987994424146
Encrypted:	false
SSDEEP:	12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	E618EE247E3251D556DAF3D3C658C0A9
SHA1:	177C80CA1FDA1BA71113C7A1F648D911E8A0C4C9
SHA-256:	101AF5D6FC2DAA1B700D779CDBB54D9255FDEA3718BE0FC9F672B807346298C6
SHA-512:	261E7DE708350CAC5E52860F9432CDB1DEDA7289168C4A10F26CD36EABFBA28CA4DD3BBAF9708C9110E3FD13F9D22E5789D112D682CCCEC243F62E1D32980E30
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@............................. !.....@lx}..b...........................................!......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\uBsjD\DUI70.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2453504
Entropy (8bit):	4.027319224931197
Encrypted:	false
SSDEEP:	12288:1VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1XQ:sfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	6A41878B4C9B36A4455B22A8EBBC846F
SHA1:	CF9CFC24FDC9B744A867B81E452C18A04042A4E2
SHA-256:	BC2B240D729D4DB74F14D302EC83EBD06C1ED7F340CF7CA8BE11F0184B263CE0
SHA-512:	7526BAC5EBDF82F434BC5E753F038AF339ADE485F59108A90D3CBB1589397DE08BCDE4C390AA7008395974E1B56F290A7787BCBD5145074B367AE8C2DB0A3BBB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." .........P!.....p..........@.............................p%.....@lx}..b...........................................!.dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.250876383836324
Encrypted:	false
SSDEEP:	768:ghunFhykO4aAvnsvpzte5+Ql0/iqmjjn:58kO4asshu+Q+/Ojjn
MD5:	1643D5735213BC89C0012F0E48253765
SHA1:	D076D701929F1F269D34C8FD7BD1BAB4DAF42A9D
SHA-256:	4176FA24D56BB870316D07BD7211BC8A797394F77DCC12B35FFEBAA0326525D2
SHA-512:	F0BD45FE66EDC6F615C0125C1AE81E657CA26544544769651AB0623DD3C724F96D9D78835EF6B1D15083D1BB9D501F6DC48487DDA5C361CAFA96022D5F33A43F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.?H..lH..lH..lAs.lT..l'o.mJ..l'o.m[..lH..l...l'o.mC..l'o.mA..l'o.mA..l'ohlI..l'o.mI..lRichH..l........................PE..d.................".........V.......&.........@....................................n3............... .......................................x.......... ...........................Po..T............................]...............^..p............................text....(......................... ..`.imrsiv......@...........................rdata..P8...P...:..................@..@.data...(............h..............@....pdata...............j..............@..@.rsrc... ............n..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	4447
Entropy (8bit):	5.481123367178235
Encrypted:	false
SSDEEP:	96:JIj2Zt+j6ZP4zr1Q9EIj2Z0+ByNAI4v1lV3:O4tTgF8L40+8oXV3
MD5:	ED384AAFCE2EF80D0F36ED6D8B12E7B3
SHA1:	2D4B43B7864F08321B7702E6014A80D4BBAB0F24
SHA-256:	D55C29F6CD93EA549E21A9A294B036BB7621886B8DEDBDAFCA4BCFD287C0D8AD
SHA-512:	20B0483FBCA47C76328D8F0527C346DF626246EE0E70CACEC737C028CB6A9C2261C692BD07A00640459A96DBE0E1746D4DE44DDA6D1349F51CC7EF0B6ADE0E0C
Malicious:	false
Reputation:	unknown
Preview:	........................................user.........................................user.....................RSA1.................q00D..7..w.~......;<.Y......'7......VVmp/..."F.Q...#B......x.......K\|..K........~+:..:..%.J.+a(.....5...f.d...o...nV...........................z..O........D.Mb.G..m..#&....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....v?..`.G:AsQ.!..9mB........+...>............ ...!.Lt.}....S..!!.$'y.....D.$n..............4.A...A../.j.B.b.....6V:3..0...`..Ep....6.s..8....3.?`....LS..}F..+..Q_G..~.:........f..5...I..n.`..t..i....f.~b.rQ........#6.z...g...$.*y7...}B..>.Q6..,.....I_K.d........>.........d_.<..M0....D.p..>i.T.J...Q...}.g~... V7x...I.[&"ptk..x^.X.....\| @...~xB.....O.z...RA'^.}-..&....Ug._....f......F~.q^....;/.H....t.....8...A.ND.6...L.[j@...^.I..G.G^U=.[.2...k.7ln....@.:..l.8.....9@t.. ..m...j......-..........o-.t..4..V.k....k....u......`.J.skr<.`jq?....._.i...\..g@{..B.I5\|n)"..U+5.&......I...W..:#.d..`..o/......

Static File Info

General
File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	3.5201402860449647
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	A1ogRC4R34.dll
File size:	2166784
MD5:	5edd6ba336c4de29f55cadfd2167a67e
SHA1:	af181a8f3fe25a515a8fe2a02559e5daceecf976
SHA256:	eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d
SHA512:	01b133fad6f564e6736d5f7297284da9aa8cc67a1c28a57b7b7eb1989ee049318377df85fbbeda9f777c0d955f07706743dc2becc3994bf9727a8d040067f5d5
SSDEEP:	12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|.

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x140041070
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6668be91e2c948b183827f040944057f

Entrypoint Preview

Instruction
dec eax
xor eax, eax
dec eax
add eax, 5Ah
dec eax
mov dword ptr [00073D82h], ecx
dec eax
lea ecx, dword ptr [FFFFECABh]
dec eax
mov dword ptr [00073D7Ch], edx
dec eax
add eax, ecx
dec esp
mov dword ptr [00073D92h], ecx
dec esp
mov dword ptr [00073DA3h], ebp
dec esp
mov dword ptr [00073D7Ch], eax
dec esp
mov dword ptr [00073D85h], edi
dec esp
mov dword ptr [00073D86h], esi
dec esp
mov dword ptr [00073D8Fh], esp
dec eax
mov ecx, eax
dec eax
sub ecx, 5Ah
dec eax
mov dword ptr [00073D89h], esi
dec eax
test eax, eax
je 00007F41A4B1713Fh
dec eax
mov dword ptr [00073D45h], esp
dec eax
mov dword ptr [00073D36h], ebp
dec eax
mov dword ptr [00073D7Fh], ebx
dec eax
mov dword ptr [00073D70h], edi
dec eax
test eax, eax
je 00007F41A4B1711Eh
jmp ecx
dec eax
add edi, ecx
dec eax
mov dword ptr [FFFFEC37h], ecx
dec eax
xor ecx, eax
jmp ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
dec eax
sub esp, 00000080h
mov eax, F957B016h
mov byte ptr [esp+7Fh], 00000037h
mov edx, dword ptr [esp+78h]
inc ecx
mov eax, edx
inc ecx
or eax, 5D262B0Ch
inc esp
mov dword ptr [esp+78h], eax
dec eax
mov dword ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[LNK] VS2012 UPD4 build 61030
[ASM] VS2013 UPD2 build 30501
[ C ] VS2012 UPD2 build 60315
[C++] VS2013 UPD4 build 31101
[RES] VS2012 UPD3 build 60610
[LNK] VS2017 v15.5.4 build 25834
[ C ] VS2017 v15.5.4 build 25834
[ASM] VS2010 build 30319
[EXP] VS2015 UPD1 build 23506
[IMP] VS2008 SP1 build 30729
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD2 build 60315
[C++] VS2015 UPD1 build 23506
[ C ] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x20f010	0x196d	.evwibb
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6390	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc1000	0x2324	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40796	0x41000	False	0.776085486779	data	7.73364605679	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0x64f2c	0x65000	False	0.702390160891	data	7.86574512659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa7000	0x178b8	0x18000	False	0.0694580078125	data	3.31515306295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbf000	0x12c	0x1000	False	0.06005859375	PEX Binary Archive	0.581723022719	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x880	0x1000	False	0.139892578125	data	1.23838501563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc1000	0x2324	0x3000	False	0.0498046875	data	4.65321444248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.qkm	0xc4000	0x74a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cvjb	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tlmkv	0xc7000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wucsxe	0xc8000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fltwtj	0x10e000	0x1267	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sfplio	0x110000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rpg	0x111000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bewzc	0x157000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vksvaw	0x159000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wmhg	0x15a000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kswemc	0x15c000	0x36d	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kaxfk	0x15d000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pjf	0x15f000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.retjqj	0x160000	0x7fd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mizn	0x161000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrub	0x162000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fhgxfk	0x164000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wqpbrq	0x1aa000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xlhbgj	0x1ab000	0xebe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rzgl	0x1ac000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yic	0x1ad000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zfmbo	0x1ae000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kurwl	0x1af000	0x3fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.crlsf	0x1b0000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wrn	0x1b2000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.blcv	0x1b9000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.roblb	0x1ba000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yblxa	0x1bb000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tfy	0x1bc000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wsmv	0x1bd000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hrs	0x1be000	0x16c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ppapg	0x1bf000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.udm	0x1c0000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fxc	0x1c2000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fvxxk	0x1c4000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zmj	0x1c5000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zvz	0x1c6000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xyiz	0x20c000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gbzxp	0x20d000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kkivgv	0x20e000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.evwibb	0x20f000	0x197d	0x2000	False	0.318115234375	data	4.72480866446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc00a0	0x370	data	English	United States
RT_MANIFEST	0xc0410	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	LookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
SETUPAPI.dll	CM_Get_Resource_Conflict_DetailsW
KERNEL32.dll	DeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
GDI32.dll	CreateBitmapIndirect, GetPolyFillMode
CRYPT32.dll	CertGetCTLContextProperty
ADVAPI32.dll	AddAccessDeniedObjectAce
SHLWAPI.dll	ChrCmpIW

Exports

Name	Ordinal	Address
LogonIdFromWinStationNameA	2	0x1400154cc
LogonIdFromWinStationNameW	3	0x14001e670
RemoteAssistancePrepareSystemRestore	4	0x1400019b0
ServerGetInternetConnectorStatus	5	0x14000b840
ServerLicensingClose	6	0x140003cdc
ServerLicensingDeactivateCurrentPolicy	7	0x14003d540
ServerLicensingFreePolicyInformation	8	0x1400382b0
ServerLicensingGetAvailablePolicyIds	9	0x140038e3c
ServerLicensingGetPolicy	10	0x14002eee4
ServerLicensingGetPolicyInformationA	11	0x14003c028
ServerLicensingGetPolicyInformationW	12	0x140035608
ServerLicensingLoadPolicy	13	0x140031ff4
ServerLicensingOpenA	14	0x140037a88
ServerLicensingOpenW	15	0x14001cb14
ServerLicensingSetPolicy	16	0x140020cec
ServerLicensingUnloadPolicy	17	0x14002ed04
ServerQueryInetConnectorInformationA	18	0x1400185c8
ServerQueryInetConnectorInformationW	19	0x140035b78
ServerSetInternetConnectorStatus	20	0x14000af38
WTSRegisterSessionNotificationEx	21	0x14001d320
WTSUnRegisterSessionNotificationEx	22	0x14002e560
WinStationActivateLicense	23	0x14000744c
WinStationAutoReconnect	24	0x1400103c0
WinStationBroadcastSystemMessage	25	0x140033dac
WinStationCheckAccess	26	0x14000b518
WinStationCheckLoopBack	27	0x1400087e4
WinStationCloseServer	28	0x14001150c
WinStationConnectA	29	0x140037f54
WinStationConnectAndLockDesktop	30	0x140037230
WinStationConnectCallback	31	0x140024504
WinStationConnectEx	32	0x140009568
WinStationConnectW	33	0x14001e29c
WinStationCreateChildSessionTransport	34	0x14002b190
WinStationDisconnect	35	0x140033000
WinStationEnableChildSessions	36	0x14000e96c
WinStationEnumerateA	37	0x140011a98
WinStationEnumerateExW	38	0x14001faf4
WinStationEnumerateLicenses	39	0x14002d380
WinStationEnumerateProcesses	40	0x14003566c
WinStationEnumerateW	41	0x1400170b0
WinStationEnumerate_IndexedA	42	0x14002764c
WinStationEnumerate_IndexedW	43	0x14000da0c
WinStationFreeConsoleNotification	44	0x1400406e4
WinStationFreeEXECENVDATAEX	45	0x14003159c
WinStationFreeGAPMemory	46	0x1400141e0
WinStationFreeMemory	47	0x14000ef30
WinStationFreePropertyValue	48	0x140012754
WinStationFreeUserCertificates	49	0x14000e344
WinStationFreeUserCredentials	50	0x14001f31c
WinStationFreeUserSessionInfo	51	0x14002b4bc
WinStationGenerateLicense	52	0x14002d08c
WinStationGetAllProcesses	53	0x14001c2e8
WinStationGetAllSessionsEx	54	0x14001fea0
WinStationGetAllSessionsW	55	0x140019b9c
WinStationGetAllUserSessions	56	0x14001d4e0
WinStationGetChildSessionId	57	0x14000fb5c
WinStationGetConnectionProperty	58	0x1400148b4
WinStationGetCurrentSessionCapabilities	59	0x140005448
WinStationGetCurrentSessionConnectionProperty	60	0x140021e94
WinStationGetCurrentSessionTerminalName	61	0x140014980
WinStationGetDeviceId	62	0x14001e4fc
WinStationGetInitialApplication	63	0x140003a94
WinStationGetLanAdapterNameA	64	0x14003500c
WinStationGetLanAdapterNameW	65	0x1400304b8
WinStationGetLoggedOnCount	66	0x140037198
WinStationGetMachinePolicy	67	0x140028a38
WinStationGetParentSessionId	68	0x140018ad8
WinStationGetProcessSid	69	0x140023484
WinStationGetRedirectAuthInfo	70	0x140021df4
WinStationGetRestrictedLogonInfo	71	0x14000c674
WinStationGetSessionIds	72	0x140001acc
WinStationGetTermSrvCountersValue	73	0x14001665c
WinStationGetUserCertificates	74	0x140008794
WinStationGetUserCredentials	75	0x14003e30c
WinStationGetUserProfile	76	0x140002fbc
WinStationInstallLicense	77	0x14001ebcc
WinStationIsChildSessionsEnabled	78	0x14000a870
WinStationIsCurrentSessionRemoteable	79	0x1400310d4
WinStationIsHelpAssistantSession	80	0x14003e898
WinStationIsSessionPermitted	81	0x14000da1c
WinStationIsSessionRemoteable	82	0x1400179c0
WinStationNameFromLogonIdA	83	0x140034f78
WinStationNameFromLogonIdW	84	0x140024ed4
WinStationNegotiateSession	85	0x140015328
WinStationNtsdDebug	86	0x140030d6c
WinStationOpenServerA	87	0x140013ba8
WinStationOpenServerExA	88	0x14001d588
WinStationOpenServerExW	89	0x14003caec
WinStationOpenServerW	90	0x140003af8
WinStationPreCreateGlassReplacementSession	91	0x140036ff0
WinStationPreCreateGlassReplacementSessionEx	92	0x140018ab8
WinStationQueryAllowConcurrentConnections	93	0x14001d4bc
WinStationQueryCurrentSessionInformation	94	0x14000f5d0
WinStationQueryEnforcementCore	95	0x140034e24
WinStationQueryInformationA	96	0x140009954
WinStationQueryInformationW	97	0x140009c90
WinStationQueryLicense	98	0x14002f848
WinStationQueryLogonCredentialsW	99	0x14000bfb8
WinStationQuerySessionVirtualIP	100	0x14000ed90
WinStationQueryUpdateRequired	101	0x14001bb78
WinStationRcmShadow2	102	0x14003a4fc
WinStationRedirectErrorMessage	103	0x140003fc4
WinStationRedirectLogonBeginPainting	104	0x140040b1c
WinStationRedirectLogonError	105	0x1400329d0
WinStationRedirectLogonMessage	106	0x14001a8e8
WinStationRedirectLogonStatus	107	0x14000dcb0
WinStationRegisterConsoleNotification	108	0x14003db9c
WinStationRegisterConsoleNotificationEx	109	0x140004320
WinStationRegisterConsoleNotificationEx2	1	0x14000c190
WinStationRegisterCurrentSessionNotificationEvent	110	0x14001871c
WinStationRegisterNotificationEvent	111	0x14001caec
WinStationRemoveLicense	112	0x14000ad28
WinStationRenameA	113	0x14003e0a0
WinStationRenameW	114	0x140010064
WinStationReportUIResult	115	0x140030854
WinStationReset	116	0x1400280b0
WinStationRevertFromServicesSession	117	0x140020f9c
WinStationSendMessageA	118	0x14003dc44
WinStationSendMessageW	119	0x140025608
WinStationSendWindowMessage	120	0x1400378e4
WinStationServerPing	121	0x140027898
WinStationSetAutologonPassword	122	0x140015b60
WinStationSetInformationA	123	0x140036334
WinStationSetInformationW	124	0x14002f668
WinStationSetPoolCount	125	0x140012008
WinStationSetRenderHint	126	0x140010d54
WinStationShadow	127	0x14001f2bc
WinStationShadowAccessCheck	128	0x140036038
WinStationShadowStop	129	0x14000a3ec
WinStationShadowStop2	130	0x14001503c
WinStationShutdownSystem	131	0x14003a0e4
WinStationSwitchToServicesSession	132	0x140020bcc
WinStationSystemShutdownStarted	133	0x14003fcb8
WinStationSystemShutdownWait	134	0x14001536c
WinStationTerminateGlassReplacementSession	135	0x140028a90
WinStationTerminateProcess	136	0x140023fcc
WinStationUnRegisterConsoleNotification	137	0x14001e86c
WinStationUnRegisterNotificationEvent	138	0x14002ba70
WinStationUserLoginAccessCheck	139	0x14001b4d0
WinStationVerify	140	0x140027dbc
WinStationVirtualOpen	141	0x14000bec0
WinStationVirtualOpenEx	142	0x140020a5c
WinStationWaitSystemEvent	143	0x14000ab44
_NWLogonQueryAdmin	144	0x14001fc60
_NWLogonSetAdmin	145	0x14001ab3c
_WinStationAnnoyancePopup	146	0x140040f10
_WinStationBeepOpen	147	0x140039a50
_WinStationBreakPoint	148	0x14003182c
_WinStationCallback	149	0x14003d540
_WinStationCheckForApplicationName	150	0x140022e50
_WinStationFUSCanRemoteUserDisconnect	151	0x140028074
_WinStationGetApplicationInfo	152	0x14000a000
_WinStationNotifyDisconnectPipe	153	0x140006300
_WinStationNotifyLogoff	154	0x140001f14
_WinStationNotifyLogon	155	0x14002a208
_WinStationNotifyNewSession	156	0x140040c10
_WinStationOpenSessionDirectory	157	0x140008768
_WinStationReInitializeSecurity	158	0x140031648
_WinStationReadRegistry	159	0x140026d80
_WinStationSessionInitialized	160	0x1400057e0
_WinStationShadowTarget	161	0x14003b860
_WinStationShadowTarget2	162	0x140036f6c
_WinStationShadowTargetSetup	163	0x14000a8e8
_WinStationUpdateClientCachedCredentials	164	0x1400396cc
_WinStationUpdateSettings	165	0x1400388a4
_WinStationUpdateUserConfig	166	0x140007c8c
_WinStationWaitForConnect	167	0x14002f99c

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserv
InternalName	bitsp
FileVersion	7.5.7600.16385 (win7_rtm.090713-
CompanyName	Microsoft Corporati
ProductName	Microsoft Windows Operating S
ProductVersion	6.1.7600
FileDescription	Background Intellig
OriginalFilename	kbdy
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 01:52:31.790808916 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:31.823350906 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:32.465501070 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:32.498804092 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:32.730051041 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:32.765635967 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:33.804905891 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:33.817478895 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:33.818048954 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:33.848880053 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:34.985820055 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:34.999018908 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:40.845426083 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:40.859277964 CEST	53	49992	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:42.300054073 CEST	60075	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:42.336080074 CEST	53	60075	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:51.166105032 CEST	55016	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:51.181098938 CEST	53	55016	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:55.513081074 CEST	64345	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:55.547306061 CEST	53	64345	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:00.430376053 CEST	57128	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:00.457186937 CEST	53	57128	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:09.478631020 CEST	54791	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:09.492873907 CEST	53	54791	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:19.529807091 CEST	50463	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:19.543225050 CEST	53	50463	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:26.765866041 CEST	50394	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:26.779737949 CEST	53	50394	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:31.316761017 CEST	58530	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:31.335577965 CEST	53	58530	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:32.891992092 CEST	53813	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:32.906454086 CEST	53	53813	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:36.811083078 CEST	63732	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:36.830099106 CEST	53	63732	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:41.497210026 CEST	57344	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:41.514108896 CEST	53	57344	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:42.094588995 CEST	54450	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:42.162460089 CEST	53	54450	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:43.057723999 CEST	59261	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:43.071368933 CEST	53	59261	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:43.715352058 CEST	57151	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:43.728193045 CEST	53	57151	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:44.108999014 CEST	59413	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:44.176162004 CEST	53	59413	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:44.776848078 CEST	60516	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:44.871962070 CEST	53	60516	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:45.364443064 CEST	51649	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:45.381457090 CEST	53	51649	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:45.582349062 CEST	65086	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:45.617382050 CEST	53	65086	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:46.038453102 CEST	56432	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:46.054632902 CEST	53	56432	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:46.972182989 CEST	52929	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:46.989518881 CEST	53	52929	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:47.241627932 CEST	64317	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:47.256998062 CEST	53	64317	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:47.907243013 CEST	61004	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:47.922362089 CEST	53	61004	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:48.619767904 CEST	56895	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:48.634594917 CEST	53	56895	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:51.036287069 CEST	62372	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:51.052166939 CEST	53	62372	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:00.689531088 CEST	61515	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:00.702735901 CEST	53	61515	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:20.008591890 CEST	56675	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:20.024954081 CEST	53	56675	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:21.379786015 CEST	57172	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:21.392865896 CEST	53	57172	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:36.249819994 CEST	55267	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:36.305263042 CEST	53	55267	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:48.572086096 CEST	50969	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:48.586525917 CEST	53	50969	8.8.8.8	192.168.2.5
Sep 29, 2021 01:55:24.888780117 CEST	64362	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:55:24.904237986 CEST	53	64362	8.8.8.8	192.168.2.5
Sep 29, 2021 01:55:26.079010010 CEST	54766	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:55:26.094386101 CEST	53	54766	8.8.8.8	192.168.2.5
Sep 29, 2021 01:56:35.288681030 CEST	61446	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:56:35.305129051 CEST	53	61446	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 7096 Parent PID: 5844

General

Start time:	01:52:38
Start date:	29/09/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll'
Imagebase:	0x7ff77a010000
File size:	1136128 bytes
MD5 hash:	E0CC9D126C39A9D2FA1CAD5027EBBD18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3192 Parent PID: 7096

General

Start time:	01:52:38
Start date:	29/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Imagebase:	0x7ff7eef80000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6408 Parent PID: 7096

General

Start time:	01:52:39
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA
Imagebase:	0x7ff608cf0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.327777249.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6396 Parent PID: 3192

General

Start time:	01:52:39
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Imagebase:	0x7ff608cf0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.234114370.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6408

General

Start time:	01:52:40
Start date:	29/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6492 Parent PID: 7096

General

Start time:	01:52:42
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW
Imagebase:	0x7ff608cf0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.241053387.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3684 Parent PID: 7096

General

Start time:	01:52:45
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore
Imagebase:	0x7ff608cf0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.248393203.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rdpinit.exe PID: 6372 Parent PID: 3472

General

Start time:	01:53:25
Start date:	29/09/2021
Path:	C:\Windows\System32\rdpinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rdpinit.exe
Imagebase:	0x7ff642f20000
File size:	327168 bytes
MD5 hash:	EF7C9CF6EA5B8B9C5C8320990714C35D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rdpinit.exe PID: 5620 Parent PID: 3472

General

Start time:	01:53:27
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\fID\rdpinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\fID\rdpinit.exe
Imagebase:	0x7ff785a80000
File size:	327168 bytes
MD5 hash:	EF7C9CF6EA5B8B9C5C8320990714C35D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.356788011.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: DmNotificationBroker.exe PID: 4592 Parent PID: 3472

General

Start time:	01:53:38
Start date:	29/09/2021
Path:	C:\Windows\System32\DmNotificationBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DmNotificationBroker.exe
Imagebase:	0x7ff619e90000
File size:	32256 bytes
MD5 hash:	1643D5735213BC89C0012F0E48253765
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: DmNotificationBroker.exe PID: 5212 Parent PID: 3472

General

Start time:	01:53:42
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe
Imagebase:	0x7ff69e090000
File size:	32256 bytes
MD5 hash:	1643D5735213BC89C0012F0E48253765
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.390772898.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll64.exe PID: 7096 Parent PID: 5844 loaddll64.exeCOMMON

Executed Functions

Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON

Download Yara Rule

Strings

}*, xrefs: 0000000140049BDD
}*, xrefs: 0000000140049620

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
Instruction ID: dfe71950bb4b00d773a2c1e4d7d9ca62016f185058a51a46645e99606ce0912a
Opcode Fuzzy Hash: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
Instruction Fuzzy Hash: CDF2E476601B8481EB269F17D5503EE77A1F78EBC8F9A4025EB0A077B5DB38C945C348

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

FreeConsole.KERNELBASE ref: 000000014003704B
EntryPoint.A1OGRC4R34 ref: 00000001400370EE

Strings

d, xrefs: 0000000140037032
)8GV, xrefs: 0000000140037008

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleEntryFreePoint
String ID: )8GV$d
API String ID: 3550414006-3589632123
Opcode ID: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction ID: d510f836e5bc92855b025e221ee4853bd72dbb3d22a76ed0b2795177c136f2ac
Opcode Fuzzy Hash: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction Fuzzy Hash: 2C91983230064096EB26EB66D0513EE23A5AB9C7D4F914526BB1E47BFBEE34CA05C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 000000014005D101

Strings

sy;, xrefs: 000000014005C420
sy;, xrefs: 000000014005C9ED

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoSystem
String ID: sy;$sy;
API String ID: 31276548-3660992706
Opcode ID: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction ID: 6e6b9d6b41ba510f9365bd6ae70f9dc3139515c8db1fe8c3f4a6c85962f57752
Opcode Fuzzy Hash: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction Fuzzy Hash: 2A82DB72215B848AEB26CF27D4507E977E1F789BC4F498426EB4A077B6DB39C941C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON

Download Yara Rule

Strings

}*, xrefs: 000000014004C37C
}*, xrefs: 000000014004BDB0

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction ID: 589d9863290c94d963c78ae1aba4b537ce1e649f887b860e334c2c2edf70769e
Opcode Fuzzy Hash: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction Fuzzy Hash: B872E172211B8081EBA68F23D4547ED77A1F78DBC4F8A5125EB4A477B6EB38C944C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 000000014005D2ED

Strings

., xrefs: 000000014005D36A

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindFirst
String ID: .
API String ID: 1974802433-248832578
Opcode ID: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction ID: 4bac0f1caae8588fed560e2f4dd75fe3b4005a9d196e6938d52e54566134f4c2
Opcode Fuzzy Hash: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction Fuzzy Hash: C841A43260564085FB76DB26E1003AD73A1A748BF8F184713EF69177E9DB7AC982C742

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140026CC0, Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

)8GV, xrefs: 000000014002703B
)8GV, xrefs: 0000000140027120

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV
API String ID: 0-993736920
Opcode ID: a474c31cc31dbb2bad411d4c623e5f6703c0a81594d7db2d3b405b35e95b2219
Instruction ID: e7db99c2ed76c24e9271fdfca30502f9120cd4f12b6678b2f47d4e41cadbe873
Opcode Fuzzy Hash: a474c31cc31dbb2bad411d4c623e5f6703c0a81594d7db2d3b405b35e95b2219
Instruction Fuzzy Hash: 3BF18F7272064095EB52EB72D8913EE6365FB993C8F900426BB0E47AFADF34CA45C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006A4B0, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000000014006A550

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 9f41864b2900007f84f8b1ad90144004543c6c2abfbff0cc5a6841cbcca8c7da
Instruction ID: ba306794fc56961ae9be9e8108b60f4a03202e28571258f9feaa1cffdeadac3d
Opcode Fuzzy Hash: 9f41864b2900007f84f8b1ad90144004543c6c2abfbff0cc5a6841cbcca8c7da
Instruction Fuzzy Hash: 25B16E36601B409AE712EF26D9403EE33A6F7497C8F645825EB4E47BA6DF38D524CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 0000000140048CDE

Part of subcall function 000000014005D1F0: FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindLoadNext
String ID:
API String ID: 50669962-0
Opcode ID: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction ID: 5bbbb247b64301f03cc62f5655f26b2922a91791dd430743fbd3ba68f8766a4f
Opcode Fuzzy Hash: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction Fuzzy Hash: 07819D3261568092FB22EB26E4513EE6365FBD83D4F814521FB4A57AEBEF38C605C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035270, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

ExitProcess.KERNEL32 ref: 00000001400354E1

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseExitProcess
String ID:
API String ID: 3487036407-0
Opcode ID: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
Instruction ID: 3d479053040576d7404e3dfab4813d6254088c9544e20b556efee73ce8d776a8
Opcode Fuzzy Hash: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
Instruction Fuzzy Hash: 5771BF32710A5096FB16EB72D4513EE2365AB883D9F844522BF5E53AFADF35C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046C90, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction ID: acc9ee73913d888b71121e4cedfe861758cf19cabea33dd7822bbf7d3cf7603a
Opcode Fuzzy Hash: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction Fuzzy Hash: 42E08CA1741A0041EF265276D0803A812809B4D7B4E194B209A7D0B3E0EA3888898716

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction ID: bccbce3911ab829ef3288d496869760cb1404da12fac801df191153d1e38d36e
Opcode Fuzzy Hash: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction Fuzzy Hash: 9172CD72601B9485FB26CF17D4503E967A1FB8EFC4F998426EB0A077A5EB39C945C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction ID: 84a8ec628d281786b49b5e6f6f6dec0d0376b1c45e732984354cafa0c8984479
Opcode Fuzzy Hash: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction Fuzzy Hash: D761947121164102FE76B72399047EE5292AFAD3E4F650B21BF6E47BF9EE38C9018740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140034870, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
Instruction ID: 713527809b35fed6260ebd230ad48717dd4fa7a304d79e310e96a8de0daf9cee
Opcode Fuzzy Hash: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
Instruction Fuzzy Hash: 5A717D32B04B4095FB12EBB2E4913DF67A5FBC8388F954025BB4957AAADF38D445CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061459
RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00000001400614B4
RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061539
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 0000000140061664

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction ID: 4377045c35190c944746a6ea10b9b47c13ce871b5e3b3a15cce40fdff127085f
Opcode Fuzzy Hash: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction Fuzzy Hash: 5BC1A43120568082FE629B16E8503EEA791E7C97E0F6C4A21FB6E47BE5DE78C941C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000021C4CB32252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000021C4CB323B0
VirtualProtect.KERNELBASE ref: 0000021C4CB32471
RtlAvlRemoveNode.NTDLL ref: 0000021C4CB325B4
VirtualProtect.KERNELBASE ref: 0000021C4CB32677

Memory Dump Source

Source File: 00000001.00000002.254965271.0000021C4CB30000.00000040.00000001.sdmp, Offset: 0000021C4CB30000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 9a3ca7862159019bde050b3103e0817d85958f138547d010defeff87304002c1
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 56B1447A618BC886D770CB1AE4507DEB7A1F7D9B80F108026EE8957B69DB7DC8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000000014005FA4B

Strings

4aX, xrefs: 000000014005FA09

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertString
String ID: 4aX
API String ID: 3907675253-4042356595
Opcode ID: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction ID: 5c7b4eddd96f597e19123db416744eb931adcf52cf9da5c093af566d74744993
Opcode Fuzzy Hash: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction Fuzzy Hash: EC216D72214B4582EA12EF66E1403DEB3A0FB8C7C4F844525EB8D07B6AEF39D625C745

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DAE0, Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction ID: c5574eec75406f68cf122a08b4571db932f63f1e1c7d3e43579234279b4bb767
Opcode Fuzzy Hash: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction Fuzzy Hash: A151D03130464182FA72EA63A4507EA77A2BB8CBD4F154527BF5A077E2EF7AC801C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DD30, Relevance: 3.1, APIs: 2, Instructions: 122fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 000000014005DDD8
ReadFile.KERNELBASE ref: 000000014005DE49

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction ID: 869152f87e2051f324d9e8f0f01270def7d2743b76a8e6c9a5e95a296a3a7e26
Opcode Fuzzy Hash: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction Fuzzy Hash: A541583161464087EA62DB3AA4447AAB3A1FBD87E0F144712BB6D4B7F5DF39C802DB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction ID: 944ab0cbe82d54181631abf043b2a82f72de4fdca767e43f24bb2c72b9c0c91f
Opcode Fuzzy Hash: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction Fuzzy Hash: 8D21B431214A4581EA72DB66A0407EA3795F78CBE4F184617EFAE077E5DF7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction ID: bee1728ae0ee1a0caa625709e376bb4aadd3217f15d1bcce0d190476addee932
Opcode Fuzzy Hash: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction Fuzzy Hash: BE21D332311A4581EA72DA66A0407EA3795B78CBE4F184527AF9D077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction ID: a00dbcca095f64b26cda9c271166364bdf2e86a9b80154192fb139b54d898421
Opcode Fuzzy Hash: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction Fuzzy Hash: 5521E532315A4581EA72DB62A0407EE3791F78CBE4F184517AFAD077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060D85
RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060DE8

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction ID: 09cc4365fb23fa9fe14c599ab373ea3e5ec1bde103bfdbf39ccb6e9a9538c2db
Opcode Fuzzy Hash: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction Fuzzy Hash: F521A37671569046EF52CB56E8003AFA391EB897F4F184621BF9C07BE8EA38D582C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction ID: 68fcab11a3bde380270331896f94efb0ab36e54eb9d04e7f46ecdc112822b6b1
Opcode Fuzzy Hash: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction Fuzzy Hash: 6821C132315A4541EA72DB62A0407EA3795F78CBE4F184627EFAD077E5DE7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046F60, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32 ref: 0000000140046FDE

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
Instruction ID: 560481d37deeb2f3cc02cd101c0a384bc9ca8e36dca6fa428839860d024f360c
Opcode Fuzzy Hash: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
Instruction Fuzzy Hash: EDA15D3271064099EB12EFB6C4913EE2365A7987C8F915126BF0D67AFAEF34C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNELBASE ref: 000000014005FEFE

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction ID: 2cd33cf12082532a652157af79f02d7873b375395221c82c38bac87e111ef697
Opcode Fuzzy Hash: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction Fuzzy Hash: 6E51B2326117408AEB66EB22A0013EE6291EB9DBC4F580535FF4E477E6DF39C802D790

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D1F0, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction ID: fe48dd106ee2d63de4642147a978de6f9e341aec22c75ad1205c2678dbe1ece1
Opcode Fuzzy Hash: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction Fuzzy Hash: 80115B7561034082FF76DA6691047E933E1EB697C8F051013EF59472E9EB36C8D2C751

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32 ref: 0000000140060C16

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction ID: 650aff04d41c3b1619de3e88208a4500c6b85af191ab70c767efd2679610bbe3
Opcode Fuzzy Hash: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction Fuzzy Hash: 1C112E72204B8486D7219F12E84039EB7A5F788B90FA89529EB8D43B58DF39D991CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046690, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlCreateHeap.NTDLL ref: 00000001400466DD

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction ID: 54976bf3431427af6da968cf6b263ec8d4a99ac7c2bea2f2fd5649cd882baac1
Opcode Fuzzy Hash: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction Fuzzy Hash: B901D635706A8082EB528712FA4039A73A0F78C3C4F198524EF884B7A5EF38C8518B44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046730, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 000000014004678C

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction ID: 7e2fcedd46cf55f04110c2a11ced308778be976df41b62f125aabd7639a18320
Opcode Fuzzy Hash: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction Fuzzy Hash: 70F0F878A4730141FE6A63B354543A511821FCC7C4F0E8834AF095B7A6EE38CD518699

Uniqueness

Uniqueness Score: -1.00%

Function 0000021C4CB32057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000021C4CB329A8), ref: 0000021C4CB320A7

Memory Dump Source

Source File: 00000001.00000002.254965271.0000021C4CB30000.00000040.00000001.sdmp, Offset: 0000021C4CB30000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 63a7c715e795e005ecb39df0260ff89cdee5d260ff4af62eeb971719d5f2224a
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: C6315C76715B8486D780DF1AE45479A7BA4F389BC4F208026EF8D87B28DF3AC446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000014002B6E0, Relevance: 8.2, Strings: 6, Instructions: 741COMMON

Download Yara Rule

Strings

GNOP, xrefs: 000000014002B9CB
4040, xrefs: 000000014002BB6A
3050, xrefs: 000000014002BB42
3050, xrefs: 000000014002B992
0020, xrefs: 000000014002B98B
0020, xrefs: 000000014002BB49

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0020$0020$3050$3050$4040$GNOP
API String ID: 0-829999343
Opcode ID: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction ID: 282167bc52f218920562f67345f8403ae15435ff558287d674a5e0b6e797f698
Opcode Fuzzy Hash: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction Fuzzy Hash: 4172507261068195EB22EF26D8913EE6365FB983C8F804016FB4E475FAEF34CA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140071DC0, Relevance: 5.7, Strings: 4, Instructions: 682COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000000014007211B
VUUU, xrefs: 000000014007213B
VUUU, xrefs: 0000000140072194
ERCP, xrefs: 0000000140071EED

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU
API String ID: 0-2165971703
Opcode ID: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction ID: a95f611128f1d5d13a9bca75b656ea52fec65ffdb08565925219bb8e60db198b
Opcode Fuzzy Hash: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction Fuzzy Hash: 2252BE727046848AEB6A8F6AD5503ED7BA1F3087D8F144116FF569BAE8D73CC981C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400667D0, Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

SW, xrefs: 0000000140066A1A
SW, xrefs: 0000000140066CA6
SW, xrefs: 0000000140066C49
SW, xrefs: 0000000140066A69

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: SW$SW$SW$SW
API String ID: 0-1120820918
Opcode ID: 4269d42bb04da8d2d584da9acdb52bde17cfea0105d642131f8bc10ec3972926
Instruction ID: 5271b3b9b35d550c8de01999338ba1aa790ab169e66fccb1d44a6718ff6f2241
Opcode Fuzzy Hash: 4269d42bb04da8d2d584da9acdb52bde17cfea0105d642131f8bc10ec3972926
Instruction Fuzzy Hash: 4C026D3170160146EB62EB73D8603EE2396AB9C3C8F554925BB4D87BEAEF35DA01C310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031DF0, Relevance: 5.3, Strings: 4, Instructions: 270COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140031FC2
GC,, xrefs: 0000000140032008
GC,, xrefs: 00000001400321D7
GC,, xrefs: 000000014003216C

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,$GC,$GC,
API String ID: 0-2774350030
Opcode ID: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction ID: dd0ba4053c6bdb050c0e262549aa376da4335980b2dde8bb0cc8774c9fa84b1c
Opcode Fuzzy Hash: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction Fuzzy Hash: 39B14A3232168096EA16EB22D4513EFA765FBDC7C4F854425FB4E57ABAEE38C605C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140057950, Relevance: 4.5, Strings: 2, Instructions: 1977COMMON

Download Yara Rule

Strings

}*, xrefs: 00000001400579C0
}*, xrefs: 0000000140057F89

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
Instruction ID: 7c281f25cbc51a2c663274e483e0a5d4adc9f9b548fde4e06667abda5a9e2262
Opcode Fuzzy Hash: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
Instruction Fuzzy Hash: 6E03CB72201B8482EB26CF23D4543ED67A1F78DBC4F994416EF4A177A6EB3AC945C380

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400263C0, Relevance: 4.3, Strings: 3, Instructions: 519COMMON

Download Yara Rule

Strings

@, xrefs: 0000000140026B3F
)8GV, xrefs: 00000001400267B0
)8GV, xrefs: 0000000140026A4D

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV$@
API String ID: 0-2802744955
Opcode ID: f984950c61b0be198d0d8ef7b9bd5c68dab9f7d96fdb049334a6dcd13fc514d1
Instruction ID: d4403fa2ef2757ed15b0d897a8d3d48ae9d82dee7601a7ae60b507309942f45e
Opcode Fuzzy Hash: f984950c61b0be198d0d8ef7b9bd5c68dab9f7d96fdb049334a6dcd13fc514d1
Instruction Fuzzy Hash: 8F326E72610A8095FB22EB72D8513EE6365FB997C8F940026BB4E476FADF34CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400067B0, Relevance: 4.2, Strings: 3, Instructions: 406COMMON

Download Yara Rule

Strings

POST, xrefs: 0000000140006CF6
GET, xrefs: 000000014000688D, 000000014000689B
*/*, xrefs: 0000000140006D02

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: */*$GET$POST
API String ID: 0-3233530491
Opcode ID: 32d11deb30a1a87af2e00d0bceae541fc6016cb2569d4fb9eca702019c111a5c
Instruction ID: 6cf15a5ed41f927c804a0d4041fd2741414eb33ceb6b5d93e391305a3a4948eb
Opcode Fuzzy Hash: 32d11deb30a1a87af2e00d0bceae541fc6016cb2569d4fb9eca702019c111a5c
Instruction Fuzzy Hash: 57125C72610A8196EB11EF72E8913DE6765F7883D8F904122FB4E57AAADF34C249C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035520, Relevance: 3.9, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

{QN, xrefs: 00000001400355E1
GC,, xrefs: 0000000140035665
GC,, xrefs: 0000000140035622

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,${QN
API String ID: 0-3150587038
Opcode ID: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction ID: 9244b60d004d0bd22f383007071d62e4da67c70af0efad37e4d475a9577969ab
Opcode Fuzzy Hash: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction Fuzzy Hash: D851B3726017408AEB26AF72A0517DF3392EB98398F559529FB4E0BBE9DF39C401C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140025DB0, Relevance: 2.9, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140025E65
0, xrefs: 0000000140025FF4

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0$GC,
API String ID: 0-3557465234
Opcode ID: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
Instruction ID: 8e8f5bced65d739128878f1be46f709eb140c798bd495bd8ba2efbba04664ca7
Opcode Fuzzy Hash: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
Instruction Fuzzy Hash: 90F1C132705B8086EB56DB26A5503EE77A5F788BC8F544029FF8A47BA9DF38C845C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FB20, Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

cLpS, xrefs: 000000014002FB76
cLpS, xrefs: 000000014002FB46

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS$cLpS
API String ID: 0-581437482
Opcode ID: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
Instruction ID: d6b56411a1e340b191dd7f08d0c8a8920ca136b0ade9766ce73097337fe28e3c
Opcode Fuzzy Hash: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
Instruction Fuzzy Hash: F5916E32700A41A6FB12EB72D5513ED2366AB983D8F900126BF1D97AFADF34D919D340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140039140, Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

D, xrefs: 0000000140039B2B

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction ID: a2166a60d7ca2b4a0d1872d5e3506bb785f107662951e93f9f6f62b20c08bf0e
Opcode Fuzzy Hash: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction Fuzzy Hash: 32827E3222468186EB13EB26D4907EF6365FBD8794F904612FB5A47AFADF38C605C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C5C0, Relevance: 2.1, Strings: 1, Instructions: 865COMMON

Download Yara Rule

Strings

GET, xrefs: 000000014000C5D5

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GET
API String ID: 0-1805413626
Opcode ID: 661f230471d60ecbb39933eb60000974eafe41df73c72fb050cdf984b1df2847
Instruction ID: e67aa13565bd515be4758c424d677281e7e48e69fdea67d752e56d6b70eb8f16
Opcode Fuzzy Hash: 661f230471d60ecbb39933eb60000974eafe41df73c72fb050cdf984b1df2847
Instruction Fuzzy Hash: 7182CFB262568082FB52EB26E491BEE6761F7C97C8F851022FB4A576E7CF38C505C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015120, Relevance: 2.1, APIs: 1, Instructions: 555COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 000000014001530B

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnvironmentExpandStrings
String ID:
API String ID: 1839112984-0
Opcode ID: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
Instruction ID: c0dbe0ee55e83fb6c0f3bef3624a57e5635b4c6ed11a4d6c977be8f15ec7e338
Opcode Fuzzy Hash: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
Instruction Fuzzy Hash: CB427E32710A4096FB12EB72D4913EE6765EB983D8F814422BB4D4BAFAEF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019D20, Relevance: 2.0, APIs: 1, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfc6c16767a4c3147f6e93b555eb8a7f5f9d30cf2392766f43ebf9096de9df6
Instruction ID: abc698a25be580435ac5d46bd6b01b3c7dd535f90f9c32282677b8a643a0cbd6
Opcode Fuzzy Hash: 3bfc6c16767a4c3147f6e93b555eb8a7f5f9d30cf2392766f43ebf9096de9df6
Instruction Fuzzy Hash: 3C427D3271068095FB22EB76D8513EE2361EB993C8F904121BB0E5BAFAEF79C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019580, Relevance: 2.0, APIs: 1, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9afe0c53f9a5a2c41ab01cc5cbb1ce22ff198fc853b8768ac58896c56666a0
Instruction ID: 0bcce83d19b55e388762cc41cc2fbdfa61478623d1bee2f25155124e52c32027
Opcode Fuzzy Hash: 4d9afe0c53f9a5a2c41ab01cc5cbb1ce22ff198fc853b8768ac58896c56666a0
Instruction Fuzzy Hash: 8A128E3271468095FB22EB72D8913EE2355EB997C4F804026BB4E5BAFADF35C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006EB0, Relevance: 1.9, Strings: 1, Instructions: 651COMMON

Download Yara Rule

Strings

cLpS, xrefs: 00000001400072A3

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS
API String ID: 0-2886372077
Opcode ID: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction ID: 96b4c198141fe6e7034ab14ad9d5ea3cda72442e6a1109ae0a48173783152c86
Opcode Fuzzy Hash: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction Fuzzy Hash: CF528D7272464092FA12EB62E8517EE63A5FB9C7C4F814022BB4E57BBADF38C505C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400139D0, Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

m, xrefs: 000000014001422E

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID: m
API String ID: 1964310414-3775001192
Opcode ID: 8a50abe8c5a3742640caa228dc7335edec43a3508cb7c45687419c797d7a8e0e
Instruction ID: 0a9d90af75a6ede7406656d6adb6787827cf479cbe6b14872f7c626c13ea0b6d
Opcode Fuzzy Hash: 8a50abe8c5a3742640caa228dc7335edec43a3508cb7c45687419c797d7a8e0e
Instruction Fuzzy Hash: 6A529B32710A80A6F74EEB32C5913EE7369F788384F904026AB2947AE6DF34D576C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D100, Relevance: 1.7, Strings: 1, Instructions: 497COMMON

Download Yara Rule

Strings

s( j, xrefs: 000000014001D128

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: s( j
API String ID: 0-1450404818
Opcode ID: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction ID: 6f5b3d0b06e06ce3defbe5b62ba999e8dce43b7996f1ec96da6707378b1ebcba
Opcode Fuzzy Hash: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction Fuzzy Hash: 14325632715B9085EB16EF66D8513ED73A5FB88B88F454026EB4E5BBAADF38C505C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140029780, Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

kw9b, xrefs: 000000014002989A

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumValue
String ID: kw9b
API String ID: 858281747-837114885
Opcode ID: a463ebc38ebe0ab291e536b9759c48d2e4c103a5bc978da41e1abb15e838d20a
Instruction ID: a79da12e532d7eb86b4034213f2927d281404f76e1d3d8be4d202bd2a10f559e
Opcode Fuzzy Hash: a463ebc38ebe0ab291e536b9759c48d2e4c103a5bc978da41e1abb15e838d20a
Instruction Fuzzy Hash: D622A03270064056FB22EB62E4513EE6361EB8C7D8F814625BB4E57AFADF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033BB0, Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

U, xrefs: 000000014003408F

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 72024827e683f8274b41a935c33eff52f8b4dd36fd514cd6d3276c77a1fad1bc
Instruction ID: 04dcf981b535b3d5a04f4e0f983876b723d65533687fb2a3abc72c4897885b35
Opcode Fuzzy Hash: 72024827e683f8274b41a935c33eff52f8b4dd36fd514cd6d3276c77a1fad1bc
Instruction Fuzzy Hash: 7A22A032714A8095FB22EB76D4913EE2761EB993D4F900122BB4E5BAFADF38C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023530, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

Content-Type, xrefs: 000000014002385F

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Content-Type
API String ID: 0-2058190213
Opcode ID: be166dffc27dae0f28fefab07ac9e8bc422439760b6c1762e901f21d4935f0ff
Instruction ID: 8ed0294b40edec3e111ebf6e63eddced9ff886ac8d86313f53d4d34ac86a637b
Opcode Fuzzy Hash: be166dffc27dae0f28fefab07ac9e8bc422439760b6c1762e901f21d4935f0ff
Instruction Fuzzy Hash: D0128B7271064096EB26EB72D0953EE63A5EB9D7C8F804029FB4E576B6DF34C909C341

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400389A0, Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 0000000140038A46

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID: 0
API String ID: 3535843008-4108050209
Opcode ID: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
Instruction ID: 021d52728ad99ff4b45c00a2ee63d530dbb35c35c3e7b67721d4418a9cae59c0
Opcode Fuzzy Hash: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
Instruction Fuzzy Hash: A4D1483271064185EB22EB66D8503EF6365FB987C8F944421FF4E57AAAEF34CA05C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400205A0, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

, xrefs: 000000014002069B

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
Instruction ID: 091f4e73938a5afec608f70625f4eed5baac112ec883e15b973b01c59944fd94
Opcode Fuzzy Hash: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
Instruction Fuzzy Hash: 8FB1903271164156FB26EB72C0513EE2365A78C7C8F554429BF0E67BEAEE34D906C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EED0, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

, xrefs: 000000014002F04E

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction ID: 79bcb73a3e0a748e54816e3c2b9a8955141e4b7d1d3c260807ef7fd3e9233e09
Opcode Fuzzy Hash: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction Fuzzy Hash: 4681AF3171528042FA66AB63A5513EE6382BBDC7C0F954839BF0E57BEADE38C9019750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023140, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

tI*k, xrefs: 0000000140023300

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: tI*k
API String ID: 0-257501792
Opcode ID: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction ID: 2b3e36108f388e75195695150bf3b7502d87346db4925aa772ee75e92517338c
Opcode Fuzzy Hash: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction Fuzzy Hash: C891B332710A41C6FB12EB73D4913ED2365AB987C8F815026BF0E67AABDE34C605C391

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140078570, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00000001400785BF

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP
API String ID: 0-1384759551
Opcode ID: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction ID: 36d71a898891e4cfc692b0c24b63e4f8a605753b41eb4ec31f3d0d909baacb04
Opcode Fuzzy Hash: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction Fuzzy Hash: 8541C2677244554AE3189F2598213BE2391F7E8781B008838BBC7C3B99E97CCE41C754

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004F940, Relevance: .9, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
Instruction ID: fc2f62d5942ef41123ea32f2955be4f6aadf7052ab01c2248917173129c7cd0f
Opcode Fuzzy Hash: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
Instruction Fuzzy Hash: 8A82BD72301B8486EB269F23D4503EE67A5F78DFC4F964022EB4A577A6DB38C945C384

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140053F20, Relevance: .8, Instructions: 808COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction ID: b1defcb4bfd3908c290bb80924a7f4486985742b072abc47c5e9bd5be53152ef
Opcode Fuzzy Hash: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction Fuzzy Hash: FF72CE32601BA482EB26CF17E4503ED77A5FB99BC8F9A4016EB49477B6DB36C941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction ID: 8249503d4e55669e8e7119aec1729776b7b2f3ca46fae70a891a003f6664f3d4
Opcode Fuzzy Hash: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction Fuzzy Hash: 3472DF32201B9486EB26DB17E4603ED77A5FB9DBC5F894012EB4A477B6DB3AC941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 570444da3395dbff037c1797def2714c1b19642f17c99ed10635228c9c88b714
Instruction ID: 4fdb0601fab6f7a848b28641239d596080eab1ec2c6ff824b21f12e2ef69b5a1
Opcode Fuzzy Hash: 570444da3395dbff037c1797def2714c1b19642f17c99ed10635228c9c88b714
Instruction Fuzzy Hash: 48722D32724A4095EB02EB76D4913EE6765EB983C4FC05012BB4E879BBEF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction ID: d53d10191d1a85c044aba7f3ec212ac92ce5176a248edb2932ce54add84afe44
Opcode Fuzzy Hash: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction Fuzzy Hash: 9D52BE72601B8081EB269F23D4543EE77A1F78CBC4F8A5426EB4A577B6DB38D845C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction ID: 9c06e88039ccf999e040ad7794a2e2d02b6699145a9792014979c24fd1337f6c
Opcode Fuzzy Hash: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction Fuzzy Hash: B4623CB76206548BD7668F26C080B6C37B1F35DFA8F25521ADF0A43799CB39D891CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003B220, Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction ID: acd1ff4a64a9c803ec812a22a8ce79600e1464d52fdb42fb628072365476121f
Opcode Fuzzy Hash: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction Fuzzy Hash: 64429E31301A8141FA23EB6698513EF6391EB8C7E8F544616BF5A5BBEAEE38C505C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140024440, Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction ID: 78f3400fd7e206f6a511ea736ed45412fb3e7259efd4ed926287f6c9bd4c6aa7
Opcode Fuzzy Hash: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction Fuzzy Hash: E6427C32204A8096EB66EB32D0513EE67A4E79D3C8F914026F79A876F7DF38C945C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018630, Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59e73cc9076a064f99eafccaaec7d80d36fe4b10998ce12be5d35ec0af9fc9f
Instruction ID: 8108868c1ca7c4f1afbe8bd34af9d7f1e96dfbbf12b1edd0cffad3fdf1fa0b6f
Opcode Fuzzy Hash: b59e73cc9076a064f99eafccaaec7d80d36fe4b10998ce12be5d35ec0af9fc9f
Instruction Fuzzy Hash: 3F429E3231068095FB22EB72D8913EE6765EB983D8F844122BB0D97AFADF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction ID: 183f2e46b23aa86a2c091461a645f9a581571388db0d92becfc597eb429af356
Opcode Fuzzy Hash: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction Fuzzy Hash: 0732AB3271064089EB16EB36D4513EE27A5EB8CBD8F555126FF0E877BADE38C4868340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfece18ddf6bca480a9aef1e07074b0a3e55dc7f17be70bd55bceb11844ecf8
Instruction ID: 71edd40f2b1ab928f6f3b4ddf8d26af45cb7d1258c95c78617a62a1a74f3288a
Opcode Fuzzy Hash: fdfece18ddf6bca480a9aef1e07074b0a3e55dc7f17be70bd55bceb11844ecf8
Instruction Fuzzy Hash: BF32AC3261068195EB12EB26D4913EE2765FB983C8F814122FB4E57AFBEF38C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B120, Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction ID: 3ba19fba285517c5acd5c21b3c9b7592edaf423ca2de06bba8230fcf7af2400b
Opcode Fuzzy Hash: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction Fuzzy Hash: 3C429B72624A8095FB12EB62D4957EE2365FB983C8F814022FB0D57ABBDF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction ID: eb795f204498a8d956ef0de19ff8bd43d97085c04d8ed5933d3115b51340510f
Opcode Fuzzy Hash: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction Fuzzy Hash: 7022793270064186EA23EB2AD4957EF63A5EB88BD4F554626FF0A477F6EE34C506C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003A2E0, Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction ID: 697e8bd1027fccc09012cb901671f32632dfdae7722e2c733c5167ca59ce0a7a
Opcode Fuzzy Hash: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction Fuzzy Hash: AE227C3271064186EA23EB26D4513EF63A1FB89BD4F544625EB4A577F6EF38C50AC340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B390, Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction ID: 5c003effdee5129b35cf12aebe167f862a01b0c8d0d2f43ab9f1123e32a30f31
Opcode Fuzzy Hash: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction Fuzzy Hash: 8C0203B21082A489F7768B26C9413FA7BE2E759788F254906FB8A435F5D738C9C1D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction ID: c2c66f55aa66479377f68c186b881699d763759fa92e2ffabb716b860ed1a50b
Opcode Fuzzy Hash: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction Fuzzy Hash: CD224D72710A8091EB12EB72D4913EE6765FB987C8F904116FB4E876BAEF38C245C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction ID: 217fabc6e38e1d640ccd999207fddb20e056db183073941d35cbdb4b11e649c3
Opcode Fuzzy Hash: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction Fuzzy Hash: 10229B72620A8091EB12EB62E4957EE2365F79D7C4F814022FB4E576BBDF38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction ID: 3448a1cfdf5732c1482eebf940cb1862e5db89764351cf67f11e8459266109f6
Opcode Fuzzy Hash: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction Fuzzy Hash: CD026C727006418AEB12DF26D4907EE73A6F788BC4F614525EB0E977AADF34D90AC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction ID: a963730c34943060851cd64ea719675db259de8104656558a9074d2de6a51302
Opcode Fuzzy Hash: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction Fuzzy Hash: 41128F7222468096FB52EB22D4917EE6765FBD93C8F811022FB4E57AABDF38C505C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069010, Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: 9f9cba7aa6e6b1d42b309293c9ea7f3a8c709476d01fbac2d947c588cc04c995
Instruction ID: 5afa6d75f76fbbc9d7f53df6043056336d1db5d7591574d5123318d553f9c856
Opcode Fuzzy Hash: 9f9cba7aa6e6b1d42b309293c9ea7f3a8c709476d01fbac2d947c588cc04c995
Instruction Fuzzy Hash: 19124E3272469096EB12EF72D8913DE6765FB987C8F815022BB0D57AABDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E170, Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
Instruction ID: ac8bef764291a5126b18a53dad73757551fec454a5992e6944e07fe4b855ac86
Opcode Fuzzy Hash: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
Instruction Fuzzy Hash: 2A023B32724A80A2FB52EB72D4913EE6764FB983C4F815022BB4D57AEADF35C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FEC0, Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction ID: b67327a95b15ec145a913cc43aeca3e3a8a77925bd43874970612b3ea802a6ff
Opcode Fuzzy Hash: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction Fuzzy Hash: A802707272064095EB02EB66D4913EE6765FB987C8F905022FB4D83ABBEF34C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002980, Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
Instruction ID: 5d574d698b33f004de0812fa71b34c36bbdae31478704d480fb686f148b39898
Opcode Fuzzy Hash: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
Instruction Fuzzy Hash: EB024C72324A8096FB12EB62D4913EE6765EB983D4FC15022BB4E57AEBDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018F80, Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd9e9d569959956f0436bd64c4ef6f33e80a542a091d9999c01e6a56ab768a9
Instruction ID: d38a929efe70148cd0bcafb05e8c0916e90d43f0c382b2c9e415ecaf47ade149
Opcode Fuzzy Hash: fbd9e9d569959956f0436bd64c4ef6f33e80a542a091d9999c01e6a56ab768a9
Instruction Fuzzy Hash: C8F16D32610A8095FB12EB76D8513EE6365EB983D8F940521BB0E57AFBEF35C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010880, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction ID: f0fb79f68922493fed5bc905321703954c20a875d362dace52344ff7232635a8
Opcode Fuzzy Hash: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction Fuzzy Hash: D7029272320AA19AEB42DF36C8917EE2724F748789F805016FF4B57AAAEF35C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D910, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
Instruction ID: 9c3e8f75c9e591130820bb2956cb3806339feb13e112d9af22726fcddd3bd126
Opcode Fuzzy Hash: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
Instruction Fuzzy Hash: 12026C32314A8095FB52EB72D4917EE2765EB983C4F805022BB4E97AEBDF35C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033540, Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76dd430cce1ce6768c64dce55b4180b759221ef9574e8c45ed07b1ebd879cb4c
Instruction ID: d0d419901b6e3c3183ee3913f1137c5e588d0fadc92f77f7791849e6aeb29d3b
Opcode Fuzzy Hash: 76dd430cce1ce6768c64dce55b4180b759221ef9574e8c45ed07b1ebd879cb4c
Instruction Fuzzy Hash: 8A029132614A8095EB22EF32D4913EE6765FB98388F904412FB4E57AFADF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9fca4ef37f2f646f8f484f052d6c6cb090e5de6006e0c91dd90195c41f6835
Instruction ID: fccd9241a873054b7c24d42fb58abb6f012b2f7f19fe3a4c061a127f88627f2a
Opcode Fuzzy Hash: 3f9fca4ef37f2f646f8f484f052d6c6cb090e5de6006e0c91dd90195c41f6835
Instruction Fuzzy Hash: 41E18E3271068095FB12EB76D8917EE6765EB983C8F804021BB0D5BAEBEF35C645C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
Instruction ID: 02ee9b89192d395c78975687d30e6fb06be8b995001c736011e159ca0d17724c
Opcode Fuzzy Hash: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
Instruction Fuzzy Hash: E2E13D32714A4095EB02EB66D4913EE6765FB983D8F900012FB4D97AFAEF34CA49C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
Instruction ID: 95da75048f27146dafc5de9d612871b80806eb61125b8034b1f63b71f4cba504
Opcode Fuzzy Hash: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
Instruction Fuzzy Hash: 47F12C3262498096EB12EB62D8513ED6365FBD8388F814522BB4E479FBEF74CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
Instruction ID: cf5fdc312f2229dc6ff813412d90ddbabd12b8e4de7574aebc9877f7d05b411a
Opcode Fuzzy Hash: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
Instruction Fuzzy Hash: 28D19032711A4195EB12EB76D4903EE23A1EB993C4F844425BF4E57BEAEF38C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064080, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction ID: bf23390ce128f79092fde7b2b9043ef6653a4f1b38eae35900255c6e9c132ad5
Opcode Fuzzy Hash: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction Fuzzy Hash: ABC1D4231282D04BD7569B3764503FAAE91E79A3C8F280655FFC997AEBD63CC2149B10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
Instruction ID: d0d512be425b72175eef7d799d9923e381f6a995b1e0446f0295c878f1c0c086
Opcode Fuzzy Hash: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
Instruction Fuzzy Hash: CED13972724A4091EB02EB76D4913EE6765F7983C8F904016BB4D97ABAEF38C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140030530, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction ID: 96955b53f7f5b4430e01eb0035ad3df088e7672fa3a311151148bede835f9000
Opcode Fuzzy Hash: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction Fuzzy Hash: E7C16136B0564089FB22EB76D0613EF27A1AB9C388F554425BF4E976FADE34C506C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A110, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
Instruction ID: 08807915bc927436db1a901aa043915a979950c5e23cf508b5f0d65b77d78aa9
Opcode Fuzzy Hash: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
Instruction Fuzzy Hash: 0CD17032614A8096EB02EB26D4513EE6364FBD97C4F815122FB4D57AEBDF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F490, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction ID: f96005f1b71c62cd91ec633b0fa556b6f093996ab6e40a041e3cbd638a23d0d9
Opcode Fuzzy Hash: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction Fuzzy Hash: C1C1BD3270164096FB12EF76D4413ED23A4EB883A8F484622BF2D57AE6EF38D955D350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction ID: 38de139323f3e079e5738bdd278af51575638bb101dd3218b17e6965c0953cb4
Opcode Fuzzy Hash: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction Fuzzy Hash: 1DB16A3671062094FB46EBA2D8A17DE2365BB89BC8F825025FF0D67BA7DE38C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031540, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
Instruction ID: bfe4e87f351d28bd3d3693bc96d2151355ab9388d993d4a46e39ffd0a3f78ad6
Opcode Fuzzy Hash: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
Instruction Fuzzy Hash: E6C16332704A809AFB22EBB2D4513EE2365AB9C3D8F854521BF1E676EADF30C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction ID: f23c3879964f3f83b961310f1bad7f7be1ef7afa2b68ec7d59790f469601a501
Opcode Fuzzy Hash: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction Fuzzy Hash: A9A10231211E8145EBA79A2798543EF27A6AB8C3D4F645825FF0E5B6E9EF34C901C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction ID: c0d98bc7e162404dc537a7c1af49e5fbe25e03b535df8b2493956c53732576b9
Opcode Fuzzy Hash: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction Fuzzy Hash: B2A114F31182A486FB778A2685413FA7FE2E719789F254402FB8A435F6C63CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066020, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction ID: d17e179c4ad3c1814a715198efb3da372d22ab0628f3c9d9f6a3a053a6971865
Opcode Fuzzy Hash: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction Fuzzy Hash: 79A1903271164045EB22EB7298507EE67E6AB9C3C8F550925BF4D47BEAEF34CA068310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction ID: 7cb660c1bafc6db3c15f0a4866a94b05aa7759728bb06ab0739d07cd917ce7e2
Opcode Fuzzy Hash: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction Fuzzy Hash: 33B18C7262464191EB12EB62E4913EE6365FB9C7C4F801022FB4E47ABBDF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction ID: ff1b56ecf022c2229069a5389c0477a62f006b84fd5f9f69eebb894724ab9066
Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction Fuzzy Hash: 44A125F21182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B424, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction ID: f965aa676d2cc64f6a485257af634002c7fef1377d4791c8bed9b1b7e56d6411
Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction Fuzzy Hash: 79A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction ID: 86c182e730ead1fa639f737d8458d4edb1cdee6041daaa12aedc2aef895c7c0c
Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction Fuzzy Hash: 83A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B436, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction ID: 7a8579acbe1e06e5dcc528155c10978c06d1d02f61772b3afab02cdca005db6d
Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction Fuzzy Hash: 3EA115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B446, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction ID: 9b5f4d2890da7bc9148b0c777fb781a5a0913674a9f0c1f21bc34f13756e8484
Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction Fuzzy Hash: 37A114F31182A489FB778A2685413FA7FE2E719789F254402FB8A475F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
Instruction ID: 9e8436de532ad8a8b9d83a7ce7f67d33a1e65f1b543d517c902b78be038a8119
Opcode Fuzzy Hash: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
Instruction Fuzzy Hash: 6FA19F3271464095EB22EB72D4913EE63A5A78C7C8F914426FF0D57AFAEE38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001010, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction ID: 891caef274385c1d9a1a05b5f8e139ad0eea2bdcde326525a3acf11d5ee056db
Opcode Fuzzy Hash: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction Fuzzy Hash: 79918D7270164095EB16EF66E4507EE23A5ABDC7C4F448425BF4E97BA6EE34C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece24c6383d481359da45c4a9ca9543c9b728e9b17bacba2c33916ec7d8e2a7a
Instruction ID: 09ec91f3f7d35e473cfa3e72b303784d96220d522314983c3d838af10b8059fe
Opcode Fuzzy Hash: ece24c6383d481359da45c4a9ca9543c9b728e9b17bacba2c33916ec7d8e2a7a
Instruction Fuzzy Hash: C4A16E32314A8095FB22EB72D8513EE2365EB987D4F940426BB4D57AFADF34CA05C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018300, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction ID: 9282ef7f3f2e177ec3162a27807bc3d77d508fe5c2bed51c5ff564ba7b898efa
Opcode Fuzzy Hash: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction Fuzzy Hash: 99912232B15A4099FB12EBB2D4913ED23659B9C7C8F814525BF0DA76EBEE34C609C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
Instruction ID: a01e236db0e61280ae7bc249da652572acbbc64743681568c883ee8cb5c556df
Opcode Fuzzy Hash: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
Instruction Fuzzy Hash: D7916C3272468092FB12EB62D4957DE6365FB9C7C4F811022BB4D43AABDF78C544CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003EFB0, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction ID: 2085d5fbde7ab3b46fd7c59f247d5158c6ccb74e37f4a5dfc0e2ff2c0c09d730
Opcode Fuzzy Hash: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction Fuzzy Hash: 87814F36204A85C6EB679B2BE9403AF6B61F38DBD0F594512EF9A477B5CE38C442D310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400276C0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction ID: bfac23c94d9038130fb0cc9f6c7292f6f1aa2b418e68c536fc9a693e481bc66c
Opcode Fuzzy Hash: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction Fuzzy Hash: 1E91B13270164096FB22EB22D4517EE23A0EB9C3C8F855426BB4E57AFADF34C944C351

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction ID: 348a5c641c523964159132b8cb670365254cd557f13034448bd6fc243d7f1d42
Opcode Fuzzy Hash: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction Fuzzy Hash: AB81503271064095FB12EB76D8913EE63A5AB9D7C8F944621BF0D4BAEAEF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016100, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
Instruction ID: 4362bffb4ce140633d60009826b42a117c21897de7dbf4a94b418fc321f1d931
Opcode Fuzzy Hash: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
Instruction Fuzzy Hash: 35812032714A809AFB12EB72D4513ED2365EB9C388F814425BB4E67AEBEF35C605C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032650, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
Instruction ID: a8b049447ef23dc7a2f3147d56ae0c312f8ac6a7955db6ed7517384e00930876
Opcode Fuzzy Hash: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
Instruction Fuzzy Hash: 0371893270264096FB66AB7294503EE6391EB9C7C8F054526BB1D47BEAEF39C905C360

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction ID: 4c1290556f20f3e20b66d81894b0d385f6ea8bc2319cc982c81cb2944955426d
Opcode Fuzzy Hash: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction Fuzzy Hash: 6E61B031301A4041EA66E737A9517EF97929F9D7D0FA44621BF5E877FAEE38C9028700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D850, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction ID: 50d9e92313d7fbe24902196c924c1612cff9653e99501bbf2772a847790ebefc
Opcode Fuzzy Hash: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction Fuzzy Hash: 7D618D3271464496FB22EB72C0913EE23A5ABDC7C8F854422BF4D57AEAEE35C501C791

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001620, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction ID: f8f81a1e6eeb4aa67bd22a5a7a70358e1ddf5b3241a247c9d5674b6b5ab46101
Opcode Fuzzy Hash: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction Fuzzy Hash: 9061C43262465091FB21EB26E0517EE6360FBCD7C4F815122BB5D47AEAEF79C541CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
Instruction ID: f33abad4c1c8ba015261be05896130ca5dc3e7c07ce7e813c180037223ea8262
Opcode Fuzzy Hash: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
Instruction Fuzzy Hash: 08718E32714A809AEB12EF76D4913EE7761F798388F844026FB4D47AAADF74C548CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
Instruction ID: 125c4d10a522e701d1fb6d0f1aef761f583aa31ccbb75f1db25899523a723602
Opcode Fuzzy Hash: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
Instruction Fuzzy Hash: 0151633271468052FB22EBB6E4513EE6761EBD83C4F951122BB4D47AEADE38C544CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022730, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction ID: af2d80f9b144edbe9aa630ca6e788b257520dbedf888a3db325da96401233726
Opcode Fuzzy Hash: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction Fuzzy Hash: FA612832600B8085E755DF36A481BDD33A9F78DB88FA84138EF990B36ADF318055D768

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031340, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction ID: 50cb9f747c07e87171e39f534f7bbd71060f83f950b2ada1a46c15cbddfc577a
Opcode Fuzzy Hash: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction Fuzzy Hash: A0511B32700A4096FB12EB76D4917EE2365AB9C7C8F954421BF0DA7AEADF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002F840, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction ID: 9602d307e9de31d357e639a9611a18ab9b6f2b9e1d5f0c6a8a00986c6f50d329
Opcode Fuzzy Hash: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction Fuzzy Hash: 7F51AD32200A40A2EA22EB22D9957FE63A5F7DC7D0F854626FB0D836B6DF34C556D710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
Instruction ID: aca98edda921e0e11dbb2b437e66833b6d9475281c93859f86ded24665675a69
Opcode Fuzzy Hash: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
Instruction Fuzzy Hash: E5516E3271465095FB52EB76E4913EE6761EBD8388F850026BB4E479EADF38C948CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060FE0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction ID: 51a026cb75a50cc44213724d5bb8c382370875f63e51d6fdf42d7c4c4c07ed92
Opcode Fuzzy Hash: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction Fuzzy Hash: 5D415F32B1066095FB12E77798517EE23A2ABCD7C4FA94421BF0E57AEBDE34C5018354

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction ID: fec891e6c53086f7b9094a78f95b73510c7007b912bc3ef8a41aa8e11e9acb14
Opcode Fuzzy Hash: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction Fuzzy Hash: 01413D31B2066095FB12EB7798513EE13A6ABDC7C4F994421BF0E97AEADE38C5058314

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction ID: 4d6ce7f696a26fe9a74b6bb9734e6d6bbac3d85ccec2ef1c97bdec5ab73240ea
Opcode Fuzzy Hash: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction Fuzzy Hash: FC51D732610B9085E785DF36E4813DD33A9F748F88F58413AAB8D4B7AADF348152C764

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400286B0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction ID: a9185cf0004c76bb3001b2cb896eaa84c5f9aff40342764b4326ba4d96cea24c
Opcode Fuzzy Hash: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction Fuzzy Hash: 9F514632310B81A2E74EDB32E5813D9B369FB8C384F908415EB9813AA6DF35D676D704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022340, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction ID: 1e1e8128ca37617077ad8d3bddb138d765a5f71e348f586f351b06e9a9582713
Opcode Fuzzy Hash: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction Fuzzy Hash: 5C51C773611B9085E745DF36E8813DD37A8F748F88F58413AEB894B6AADF308156C760

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction ID: 5f416d68214368cc8d497caad67b5ad9eebcd67f96a0df70edf52f54e079c757
Opcode Fuzzy Hash: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction Fuzzy Hash: DE31F53221099842FBA6471B9C613F93292E79C3E4F649625FB8E537F4D67DC8038B80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005370, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction ID: 604a730c127844f2816d2636316060c5dd02da03d6f4240a24423d76594c64fe
Opcode Fuzzy Hash: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction Fuzzy Hash: 55313F32610B9091E749DB36D9813DD73A9F78CB84FA58526A39847AA6DF35C177C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007EA0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.254494535.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254671437.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.254728607.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.254738204.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction ID: 1d8fa33d8030516f9812c7435f1c2f5fee2e6c5a40d503ba1f82db291cb841dc
Opcode Fuzzy Hash: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction Fuzzy Hash: 7131DC32600B4080E745DF3699813EDB3E9FBACB88FA9853697484A9B6DF35C157D310

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6408 Parent PID: 7096 rundll32.exeCOMMON

Executed Functions

Function 0000022E062C2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000022E062C23B0
VirtualProtect.KERNELBASE ref: 0000022E062C2471
RtlAvlRemoveNode.NTDLL ref: 0000022E062C25B4
VirtualProtect.KERNELBASE ref: 0000022E062C2677

Memory Dump Source

Source File: 00000003.00000002.328112094.0000022E062C0000.00000040.00000001.sdmp, Offset: 0000022E062C0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: ca5e6e783744fe1873486422b69737eb2c3db1149c0e79b29f9f47fb423bed49
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 02B166B6619BD486DB30CB5AE44079EB7A0F7C9B90F108026EE8D53B58CB79C9528F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000022E062C2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000022E062C29A8), ref: 0000022E062C20A7

Memory Dump Source

Source File: 00000003.00000002.328112094.0000022E062C0000.00000040.00000001.sdmp, Offset: 0000022E062C0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 9f75849446f02faaa7a76a7eb715a9092445226ccd9e6e5ec0ccea4e5fa1aabc
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 8E315CB2615B9086DB80DF1AE45575A7BA0F389BD4F218026FF8D97B18DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6396 Parent PID: 3192 rundll32.exeCOMMON

Executed Functions

Function 000001FEDB582252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001FEDB5823B0
VirtualProtect.KERNELBASE ref: 000001FEDB582471
RtlAvlRemoveNode.NTDLL ref: 000001FEDB5825B4
VirtualProtect.KERNELBASE ref: 000001FEDB582677

Memory Dump Source

Source File: 00000004.00000002.234660321.000001FEDB580000.00000040.00000001.sdmp, Offset: 000001FEDB580000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 71139f952394ce3ac0399d8236843e0592f8ab1cfb351a25e4e45202c459c911
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 66B15576618BC586DB30CB5AF4407DEB7A1F7C9B80F148026EE8957B69DB79C8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001FEDB582057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001FEDB5829A8), ref: 000001FEDB5820A7

Memory Dump Source

Source File: 00000004.00000002.234660321.000001FEDB580000.00000040.00000001.sdmp, Offset: 000001FEDB580000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 1413423e79219eee230a08f9614a25056437da22ff8c86a54e3e2193c4ce4814
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 01315E76615B9486D780DF1AF45479A7BA1F389BC4F204026EF8D87B28DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6492 Parent PID: 7096 rundll32.exeCOMMON

Executed Functions

Function 0000024B79BF2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000024B79BF23B0
VirtualProtect.KERNELBASE ref: 0000024B79BF2471
RtlAvlRemoveNode.NTDLL ref: 0000024B79BF25B4
VirtualProtect.KERNELBASE ref: 0000024B79BF2677

Memory Dump Source

Source File: 00000006.00000002.241723678.0000024B79BF0000.00000040.00000001.sdmp, Offset: 0000024B79BF0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 507fddeb9e541e2f10aca9f6ff465d990f2020edec9e62b8b841c458c148b300
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: BAB144B7618BC486E770CB1AE44079EB7A1F7C9B90F108126EEC957B58DB79C8518F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000024B79BF2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000024B79BF29A8), ref: 0000024B79BF20A7

Memory Dump Source

Source File: 00000006.00000002.241723678.0000024B79BF0000.00000040.00000001.sdmp, Offset: 0000024B79BF0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 48ace214d7f866a33bccdfe809eded382d0273c0e995f4213fa039e15d9acd8f
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: C6313C72615B9086D790DF1AE45475ABBA1F3C9BD4F209026EF8D87B18DF3AC446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3684 Parent PID: 7096 rundll32.exeCOMMON

Executed Functions

Function 000002CFEF0A2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000002CFEF0A23B0
VirtualProtect.KERNELBASE ref: 000002CFEF0A2471
RtlAvlRemoveNode.NTDLL ref: 000002CFEF0A25B4
VirtualProtect.KERNELBASE ref: 000002CFEF0A2677

Memory Dump Source

Source File: 00000007.00000002.249016548.000002CFEF0A0000.00000040.00000001.sdmp, Offset: 000002CFEF0A0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 35084e9d2032ee7370fe13d02fc45d425b42aff6217fd99c67c1d6ae1a228103
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 28B15677618BC486E770CB1AE440B9EB7A1F7C9B80F118026DF8957B68DB7AC8518F40

Uniqueness

Uniqueness Score: -1.00%

Function 000002CFEF0A2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000002CFEF0A29A8), ref: 000002CFEF0A20A7

Memory Dump Source

Source File: 00000007.00000002.249016548.000002CFEF0A0000.00000040.00000001.sdmp, Offset: 000002CFEF0A0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 30cadd093f7813a207440d3c7f25796e725b8f8b2e1ad56505e090c5add0b7e4
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 63313A72715B9086D790DF1AE454B5A7BA1F389BD4F219026EF8D87B28DF3AC446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rdpinit.exe PID: 5620 Parent PID: 3472 rdpinit.exeCOMMON

Executed Functions

Function 0000027A7C9E2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000027A7C9E23B0
VirtualProtect.KERNELBASE ref: 0000027A7C9E2471
RtlAvlRemoveNode.NTDLL ref: 0000027A7C9E25B4
VirtualProtect.KERNELBASE ref: 0000027A7C9E2677

Memory Dump Source

Source File: 00000018.00000002.357144906.0000027A7C9E0000.00000040.00000001.sdmp, Offset: 0000027A7C9E0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 03d282e72ce0121ba56aada9414d4ebb04eb4af4380ff723f2b7b3b440b04762
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 2DB14277619BC486E7708B1AE44079EB7A1F7D9B90F10802AEE8D57B58DB79C8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000027A7C9E2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000027A7C9E29A8), ref: 0000027A7C9E20A7

Memory Dump Source

Source File: 00000018.00000002.357144906.0000027A7C9E0000.00000040.00000001.sdmp, Offset: 0000027A7C9E0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 229733c034128e2a73207b5e2e5c45e4fd4ff7f809138b650accb4f65e00f017
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 28312A72615B9086D790DF1AE45475E7BA4F389BD4F209026EF8D97B28DF3AC446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF785A82EA4, Relevance: 582.6, APIs: 317, Strings: 10, Instructions: 10349memoryCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF785A82F19
VerifyVersionInfoW.KERNEL32 ref: 00007FF785A82F2B
GetProcessHeap.KERNEL32 ref: 00007FF785A82FD7
HeapAlloc.KERNEL32 ref: 00007FF785A82FE5

Part of subcall function 00007FF785A8E570: GetModuleHandleExA.KERNEL32 ref: 00007FF785A8E5A4
Part of subcall function 00007FF785A8E570: GetProcAddress.KERNEL32 ref: 00007FF785A8E5BA
Part of subcall function 00007FF785A8E570: FreeLibrary.KERNEL32 ref: 00007FF785A8E5DA

Part of subcall function 00007FF785A8E53C: TraceMessage.ADVAPI32 ref: 00007FF785A8E565

Strings

Default, xrefs: 00007FF785A837CA
ntdll.dll, xrefs: 00007FF785A8535F, 00007FF785A8BCFA
Segoe UI Light, xrefs: 00007FF785A8763A
, xrefs: 00007FF785A89F61
, xrefs: 00007FF785A88142
SLGetWindowsInformationDWORD failed!, xrefs: 00007FF785A8CD49
NtQuerySystemInformation, xrefs: 00007FF785A853C9, 00007FF785A8BD59
g, xrefs: 00007FF785A86DC4
WinSta0, xrefs: 00007FF785A837AE
TerminalServices-RemoteApplications-ClientSku-RAILAllowed, xrefs: 00007FF785A83B4E, 00007FF785A841E4, 00007FF785A84367

Memory Dump Source

Source File: 00000018.00000002.359278107.00007FF785A81000.00000020.00020000.sdmp, Offset: 00007FF785A80000, based on PE: true

Associated: 00000018.00000002.359256303.00007FF785A80000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.359333389.00007FF785ABE000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.359362279.00007FF785ACD000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.359385366.00007FF785ACE000.00000008.00020000.sdmp Download File
Associated: 00000018.00000002.359398653.00007FF785AD1000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.359419413.00007FF785AD4000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AddressAllocConditionFreeHandleInfoLibraryMaskMessageModuleProcProcessTraceVerifyVersion
String ID: $ $Default$NtQuerySystemInformation$SLGetWindowsInformationDWORD failed!$Segoe UI Light$TerminalServices-RemoteApplications-ClientSku-RAILAllowed$WinSta0$g$ntdll.dll
API String ID: 3436727695-4118828087
Opcode ID: 47f3e3c9ae61dfd922a753323f88a4197e8177d8180bfebbab1cb8365be6d6ee
Instruction ID: b76995a54c3f68084fba512b5dd568b9342f706511e5af358855121a4c4082c7
Opcode Fuzzy Hash: 47f3e3c9ae61dfd922a753323f88a4197e8177d8180bfebbab1cb8365be6d6ee
Instruction Fuzzy Hash: D524C272B147818AE724DF35D880AADBBA1FF48B68FA04135DA0E97B54DF38E944C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF785A91EC8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF785A91EFF
OpenEventW.KERNEL32 ref: 00007FF785A91F26
GetLastError.KERNEL32 ref: 00007FF785A91F35
CloseHandle.KERNEL32 ref: 00007FF785A91F84
CoTaskMemFree.OLE32 ref: 00007FF785A91F99
GetLastError.KERNEL32 ref: 00007FF785A91FB1

Strings

%s%s, xrefs: 00007FF785A91EED
Local\AppReadinessCompletionEvent, xrefs: 00007FF785A91EDC

Memory Dump Source

Source File: 00000018.00000002.359278107.00007FF785A81000.00000020.00020000.sdmp, Offset: 00007FF785A80000, based on PE: true

Associated: 00000018.00000002.359256303.00007FF785A80000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.359333389.00007FF785ABE000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.359362279.00007FF785ACD000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.359385366.00007FF785ACE000.00000008.00020000.sdmp Download File
Associated: 00000018.00000002.359398653.00007FF785AD1000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.359419413.00007FF785AD4000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CloseEventFreeHandleOpenTask_cwprintf_s_l
String ID: %s%s$Local\AppReadinessCompletionEvent
API String ID: 2842066113-3079491575
Opcode ID: edc81eae877c5ea22d201165c0b4609966103a5f653bf748b61c6907dfd90955
Instruction ID: 95648a197b81168adcfb0d782fa19bf266fee5e2bcecb1d78ccf625fb75f74b2
Opcode Fuzzy Hash: edc81eae877c5ea22d201165c0b4609966103a5f653bf748b61c6907dfd90955
Instruction Fuzzy Hash: 7931D322B14B1685FB04A775A9806BCABF4BF44BA4FA40136DE1E57BA8DF3CD450C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF785AAFEA0, Relevance: 12.2, APIs: 8, Instructions: 169COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF785AAFEC1
calloc.LIBCMT ref: 00007FF785AAFECF

Part of subcall function 00007FF785AB25E4: _errno.LIBCMT ref: 00007FF785AB2607
Part of subcall function 00007FF785AB25E4: _errno.LIBCMT ref: 00007FF785AB2611

calloc.LIBCMT ref: 00007FF785AAFF76
GetFileType.KERNEL32 ref: 00007FF785AAFFF2
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF785AB002E

Memory Dump Source

Source File: 00000018.00000002.359278107.00007FF785A81000.00000020.00020000.sdmp, Offset: 00007FF785A80000, based on PE: true

Associated: 00000018.00000002.359256303.00007FF785A80000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.359333389.00007FF785ABE000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.359362279.00007FF785ACD000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.359385366.00007FF785ACE000.00000008.00020000.sdmp Download File
Associated: 00000018.00000002.359398653.00007FF785AD1000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.359419413.00007FF785AD4000.00000002.00020000.sdmp Download File

Similarity

API ID: _errnocalloc$CountCriticalFileInfoInitializeSectionSpinStartupType
String ID:
API String ID: 1140310343-0
Opcode ID: fb42bb65d18bd0072488fd083a99a05dd2b34d83d9a31d5526ae12d381bab424
Instruction ID: ab450eec852a83520849e5f1feb2996f23268307b1246c907c46609beb654c1f
Opcode Fuzzy Hash: fb42bb65d18bd0072488fd083a99a05dd2b34d83d9a31d5526ae12d381bab424
Instruction Fuzzy Hash: CB719122A0878286EB15AB15D4C476CBBA0FF44F74FA48635CA6E433D1EE3CE445C362

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report A1ogRC4R34

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Exploits:

Compliance:

Spreading:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back