Play interactive tour

Edit tour

Windows Analysis Report A2qAaSVuU2

Overview

General Information

Sample Name:	A2qAaSVuU2 (renamed file extension from none to dll)
Analysis ID:	492853
MD5:	f8295446e335b679641637334c99242d
SHA1:	18b9a40791f1a52c70507b29d0b631510f2e33c6
SHA256:	96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Contains functionality to automate explorer (e.g. start an application)

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries device information via Setup API

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to get notified if a device is plugged in / out

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to launch a program with higher privileges

Binary contains a suspicious time stamp

Contains functionality to read device registry values (via SetupAPI)

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 3104 cmdline: loaddll64.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)

cmd.exe (PID: 5772 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 3332 cmdline: rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2588 cmdline: rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

SysResetErr.exe (PID: 2876 cmdline: C:\Windows\system32\SysResetErr.exe MD5: 6A3F2F3C36FE45A87E3BFA80B6D92E07)

SysResetErr.exe (PID: 484 cmdline: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe MD5: 6A3F2F3C36FE45A87E3BFA80B6D92E07)

RecoveryDrive.exe (PID: 5932 cmdline: C:\Windows\system32\RecoveryDrive.exe MD5: 2228E677678848E2FC693199947715E7)

RecoveryDrive.exe (PID: 6092 cmdline: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe MD5: 2228E677678848E2FC693199947715E7)

MusNotificationUx.exe (PID: 4756 cmdline: C:\Windows\system32\MusNotificationUx.exe MD5: 114A55D75AC7447F012B6D8EC8B1F7FC)

MusNotificationUx.exe (PID: 3940 cmdline: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe MD5: 114A55D75AC7447F012B6D8EC8B1F7FC)

SndVol.exe (PID: 3532 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)

SndVol.exe (PID: 1208 cmdline: C:\Users\user\AppData\Local\QiP6c\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)

EhStorAuthn.exe (PID: 3016 cmdline: C:\Windows\system32\EhStorAuthn.exe MD5: 5B9BB7B6DD9A81D42F057BA252DC3B63)

EhStorAuthn.exe (PID: 2424 cmdline: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe MD5: 5B9BB7B6DD9A81D42F057BA252DC3B63)

mstsc.exe (PID: 5972 cmdline: C:\Windows\system32\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)

mstsc.exe (PID: 5668 cmdline: C:\Users\user\AppData\Local\VgY\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)

rundll32.exe (PID: 2436 cmdline: rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 800 cmdline: rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000015.00000002.387213363.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000029.00000002.529730818.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.339300443.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000007.00000002.274418377.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000022.00000002.470825407.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000018.00000002.415547508.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.257940331.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000024.00000002.501617051.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000006.00000002.263722595.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001D.00000002.442655730.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: A2qAaSVuU2.dll	Virustotal: Detection: 64%	Perma Link
Source: A2qAaSVuU2.dll	Metadefender: Detection: 62%	Perma Link
Source: A2qAaSVuU2.dll	ReversingLabs: Detection: 84%

Antivirus / Scanner detection for submitted sample

Show sources

Source: A2qAaSVuU2.dll

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\VgY\Secur32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Show sources

Source: A2qAaSVuU2.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\VgY\Secur32.dll	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80A0C4 CryptReleaseContext,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,	24_2_00007FF7BC80A0C4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC804064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,	24_2_00007FF7BC804064
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80998C GetProcessHeap,HeapFree,CryptReleaseContext,GetProcessHeap,HeapFree,	24_2_00007FF7BC80998C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC809A24 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,	24_2_00007FF7BC809A24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80AC28 CryptGetUserKey,GetLastError,CryptDestroyKey,	24_2_00007FF7BC80AC28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8087EC UuidCreate,UuidToStringW,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,RpcStringFreeW,	24_2_00007FF7BC8087EC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80A198 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,	24_2_00007FF7BC80A198
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8082F0 CryptGenKey,GetLastError,CryptDestroyKey,GetProcessHeap,HeapAlloc,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC8082F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8043E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,	24_2_00007FF7BC8043E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8084E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,	24_2_00007FF7BC8084E4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B18290 RtlNtStatusToDosError,BCryptGetProperty,RtlNtStatusToDosError,RtlNtStatusToDosError,	29_2_00007FF618B18290
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2325B64 CryptProtectData,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LocalFree,	36_2_00007FF6F2325B64
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2325DD8 memset,RegOpenKeyW,RegQueryValueExW,LocalAlloc,RegQueryValueExW,RegCloseKey,LocalFree,CryptUnprotectData,LocalFree,LocalFree,	36_2_00007FF6F2325DD8
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DAF52C CryptProtectData,LocalAlloc,LocalFree,	41_2_00007FF657DAF52C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DAF8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,	41_2_00007FF657DAF8FC

Source: A2qAaSVuU2.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdbGCTL source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdbGCTL source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdb source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdb source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: SndVol.pdb source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp

Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe

Code function: 36_2_00007FF6F23211E0 RegisterTraceGuidsW,CommandLineToArgvW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,LocalAlloc,LocalFree,UnregisterClassW,LocalFree,UnregisterDeviceNotification,GetLastError,FindWindowW,SendMessageW,memset,RegisterClassExW,CreateWindowExW,GetLastError,ShowWindow,memset,RegisterDeviceNotificationW,GetLastError,TranslateMessage,DispatchMessageW,GetMessageW,GetLastError,UnregisterTraceGuids,

36_2_00007FF6F23211E0

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4E28 GetFileAttributesW,GetLastError,memset,FindFirstFileW,GetLastError,FindClose,GetProcessHeap,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,CloseHandle,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F4E28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80E958 free,memset,FindFirstFileW,GetLastError,GetLastError,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	24_2_00007FF7BC80E958
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC810638 memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,	24_2_00007FF7BC810638
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F57FC memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetVolumeInformationW,memset,FindFirstFileW,GetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F57FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6718 WIMCreateFile,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WIMCloseHandle,WIMCloseHandle,memset,WIMGetAttributes,GetLastError,memset,GetFullPathNameW,GetLastError,memset,FindFirstFileW,GetLastError,GetProcessHeap,HeapFree,WIMCreateFile,WIMCloseHandle,memset,WIMGetAttributes,FindNextFileW,GetLastError,GetLastError,GetLastError,	24_2_00007FF7BC7F6718
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E21CC GetProcessHeap,HeapFree,GetFileAttributesW,GetLastError,GetProcessHeap,HeapFree,_wcsicmp,GetProcessHeap,HeapFree,FindClose,FindFirstFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,memmove,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7E21CC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC815458 memset,memset,memset,memset,FindFirstFileW,CompareStringW,CompareStringW,memset,FindNextFileW,FindClose,CoTaskMemFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC815458
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	29_2_00007FF618B1A104

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC7DB29C memset,GetSystemWindowsDirectoryW,GetLastError,memset,GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapFree,memset,GetVolumeInformationW,LoadStringW,GetProcessHeap,HeapFree,

24_2_00007FF7BC7DB29C

Source: SndVol.exe, 00000020.00000002.447751833.000002C464AA0000.00000002.00020000.sdmp

String found in binary or memory: http://schemas.micro

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000015.00000002.387213363.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.529730818.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.339300443.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.274418377.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.470825407.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.415547508.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.257940331.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.501617051.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.263722595.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.442655730.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC804064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,	24_2_00007FF7BC804064
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8043E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,	24_2_00007FF7BC8043E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8084E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,	24_2_00007FF7BC8084E4

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC855C64 NtShutdownSystem,InitiateSystemShutdownExW,GetLastError,

24_2_00007FF7BC855C64

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Code function: 21_2_00007FF727F81424	21_2_00007FF727F81424
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC821DAC	24_2_00007FF7BC821DAC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8D98	24_2_00007FF7BC7D8D98
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7DE0	24_2_00007FF7BC7D7DE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC832DE0	24_2_00007FF7BC832DE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC846D24	24_2_00007FF7BC846D24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EBD70	24_2_00007FF7BC7EBD70
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC842EA8	24_2_00007FF7BC842EA8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC845EB0	24_2_00007FF7BC845EB0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EAEEC	24_2_00007FF7BC7EAEEC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4E28	24_2_00007FF7BC7F4E28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D1E50	24_2_00007FF7BC7D1E50
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81BE40	24_2_00007FF7BC81BE40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC816E74	24_2_00007FF7BC816E74
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6FC4	24_2_00007FF7BC7F6FC4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC807FD4	24_2_00007FF7BC807FD4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82DFF0	24_2_00007FF7BC82DFF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DFFE8	24_2_00007FF7BC7DFFE8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F2FE8	24_2_00007FF7BC7F2FE8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D6000	24_2_00007FF7BC7D6000
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8010	24_2_00007FF7BC7D8010
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC819000	24_2_00007FF7BC819000
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83EF24	24_2_00007FF7BC83EF24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82EF40	24_2_00007FF7BC82EF40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC830F40	24_2_00007FF7BC830F40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E0F74	24_2_00007FF7BC7E0F74
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FC0A0	24_2_00007FF7BC7FC0A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EE0A0	24_2_00007FF7BC7EE0A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83D0C0	24_2_00007FF7BC83D0C0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EF0F0	24_2_00007FF7BC7EF0F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8260E0	24_2_00007FF7BC8260E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83E104	24_2_00007FF7BC83E104
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84F020	24_2_00007FF7BC84F020
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC804064	24_2_00007FF7BC804064
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7058	24_2_00007FF7BC7D7058
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC802074	24_2_00007FF7BC802074
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84A080	24_2_00007FF7BC84A080
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E19A0	24_2_00007FF7BC7E19A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8409B0	24_2_00007FF7BC8409B0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8009C4	24_2_00007FF7BC8009C4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FF9F0	24_2_00007FF7BC7FF9F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E89F0	24_2_00007FF7BC7E89F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7A00	24_2_00007FF7BC7D7A00
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FE9FC	24_2_00007FF7BC7FE9FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DCA0C	24_2_00007FF7BC7DCA0C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC827A00	24_2_00007FF7BC827A00
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F8980	24_2_00007FF7BC7F8980
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC823980	24_2_00007FF7BC823980
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D9AB4	24_2_00007FF7BC7D9AB4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84FA9C	24_2_00007FF7BC84FA9C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E9AE0	24_2_00007FF7BC7E9AE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7ECAF0	24_2_00007FF7BC7ECAF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC837B10	24_2_00007FF7BC837B10
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC831B10	24_2_00007FF7BC831B10
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC834B14	24_2_00007FF7BC834B14
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81AAFC	24_2_00007FF7BC81AAFC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC813A30	24_2_00007FF7BC813A30
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F3A1C	24_2_00007FF7BC7F3A1C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82DA40	24_2_00007FF7BC82DA40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC838A90	24_2_00007FF7BC838A90
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84DBA0	24_2_00007FF7BC84DBA0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D6BDC	24_2_00007FF7BC7D6BDC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC833C08	24_2_00007FF7BC833C08
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F9B24	24_2_00007FF7BC7F9B24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80FB18	24_2_00007FF7BC80FB18
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80BB70	24_2_00007FF7BC80BB70
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC819B58	24_2_00007FF7BC819B58
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E1CAC	24_2_00007FF7BC7E1CAC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DBCE0	24_2_00007FF7BC7DBCE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FFCF0	24_2_00007FF7BC7FFCF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EFC40	24_2_00007FF7BC7EFC40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC829C70	24_2_00007FF7BC829C70
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FBC58	24_2_00007FF7BC7FBC58
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC830C90	24_2_00007FF7BC830C90
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC808C80	24_2_00007FF7BC808C80
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E85EC	24_2_00007FF7BC7E85EC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC831608	24_2_00007FF7BC831608
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC814610	24_2_00007FF7BC814610
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E3530	24_2_00007FF7BC7E3530
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC832590	24_2_00007FF7BC832590
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC841578	24_2_00007FF7BC841578
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8590	24_2_00007FF7BC7D8590
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FA6F4	24_2_00007FF7BC7FA6F4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC810638	24_2_00007FF7BC810638
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83566C	24_2_00007FF7BC83566C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F7684	24_2_00007FF7BC7F7684
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D568C	24_2_00007FF7BC7D568C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8227A0	24_2_00007FF7BC8227A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DA7C0	24_2_00007FF7BC7DA7C0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC847808	24_2_00007FF7BC847808
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F57FC	24_2_00007FF7BC7F57FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84A810	24_2_00007FF7BC84A810
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6718	24_2_00007FF7BC7F6718
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82474C	24_2_00007FF7BC82474C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC801740	24_2_00007FF7BC801740
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D273C	24_2_00007FF7BC7D273C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FB76C	24_2_00007FF7BC7FB76C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82F790	24_2_00007FF7BC82F790
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8790	24_2_00007FF7BC7D8790
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80B77C	24_2_00007FF7BC80B77C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83F780	24_2_00007FF7BC83F780
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84F780	24_2_00007FF7BC84F780
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82089C	24_2_00007FF7BC82089C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8398E0	24_2_00007FF7BC8398E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8491D0	24_2_00007FF7BC8491D0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E21CC	24_2_00007FF7BC7E21CC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80E1D8	24_2_00007FF7BC80E1D8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E720C	24_2_00007FF7BC7E720C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC836200	24_2_00007FF7BC836200
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81012C	24_2_00007FF7BC81012C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E1130	24_2_00007FF7BC7E1130
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC839170	24_2_00007FF7BC839170
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC857160	24_2_00007FF7BC857160
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84517C	24_2_00007FF7BC84517C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DB29C	24_2_00007FF7BC7DB29C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC834298	24_2_00007FF7BC834298
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D52AC	24_2_00007FF7BC7D52AC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8442D4	24_2_00007FF7BC8442D4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DD2E0	24_2_00007FF7BC7DD2E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8282F0	24_2_00007FF7BC8282F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8012EC	24_2_00007FF7BC8012EC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F224C	24_2_00007FF7BC7F224C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC813270	24_2_00007FF7BC813270
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC809264	24_2_00007FF7BC809264
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7ED290	24_2_00007FF7BC7ED290
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84E3E0	24_2_00007FF7BC84E3E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84340C	24_2_00007FF7BC84340C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC821320	24_2_00007FF7BC821320
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC812350	24_2_00007FF7BC812350
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DF378	24_2_00007FF7BC7DF378
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8384A4	24_2_00007FF7BC8384A4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82A4E0	24_2_00007FF7BC82A4E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82E4E0	24_2_00007FF7BC82E4E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8084E4	24_2_00007FF7BC8084E4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83B510	24_2_00007FF7BC83B510
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DC430	24_2_00007FF7BC7DC430
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80343C	24_2_00007FF7BC80343C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4454	24_2_00007FF7BC7F4454
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B019F0	29_2_00007FF618B019F0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFA9EC	29_2_00007FF618AFA9EC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFD9E4	29_2_00007FF618AFD9E4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF71D8	29_2_00007FF618AF71D8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB5C0	29_2_00007FF618AFB5C0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFC5B8	29_2_00007FF618AFC5B8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFCE18	29_2_00007FF618AFCE18
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0E5DC	29_2_00007FF618B0E5DC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B04208	29_2_00007FF618B04208
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B109E8	29_2_00007FF618B109E8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF61FC	29_2_00007FF618AF61FC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B03570	29_2_00007FF618B03570
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0ED88	29_2_00007FF618B0ED88
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B169A8	29_2_00007FF618B169A8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0CDA8	29_2_00007FF618B0CDA8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0A16C	29_2_00007FF618B0A16C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0C570	29_2_00007FF618B0C570
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFD6E4	29_2_00007FF618AFD6E4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B07EE0	29_2_00007FF618B07EE0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0C318	29_2_00007FF618B0C318
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFBEC4	29_2_00007FF618AFBEC4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0BEB8	29_2_00007FF618B0BEB8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0A6C8	29_2_00007FF618B0A6C8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B02720	29_2_00007FF618B02720
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B07720	29_2_00007FF618B07720
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B186D8	29_2_00007FF618B186D8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFA26C	29_2_00007FF618AFA26C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B11688	29_2_00007FF618B11688
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFC25C	29_2_00007FF618AFC25C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF67F4	29_2_00007FF618AF67F4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFD3E8	29_2_00007FF618AFD3E8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF9FE8	29_2_00007FF618AF9FE8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFCBE4	29_2_00007FF618AFCBE4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0AC0C	29_2_00007FF618B0AC0C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B007D8	29_2_00007FF618B007D8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B05C2C	29_2_00007FF618B05C2C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B08BCC	29_2_00007FF618B08BCC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB80C	29_2_00007FF618AFB80C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B083E0	29_2_00007FF618B083E0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFBB68	29_2_00007FF618AFBB68
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF4760	29_2_00007FF618AF4760
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFF360	29_2_00007FF618AFF360
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B06754	29_2_00007FF618B06754
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0BBAC	29_2_00007FF618B0BBAC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1C3B4	29_2_00007FF618B1C3B4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0F33C	29_2_00007FF618B0F33C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B047A8	29_2_00007FF618B047A8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB38C	29_2_00007FF618AFB38C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFE38C	29_2_00007FF618AFE38C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B06B7C	29_2_00007FF618B06B7C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFECE8	29_2_00007FF618AFECE8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFDCE4	29_2_00007FF618AFDCE4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B03CE0	29_2_00007FF618B03CE0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B044C4	29_2_00007FF618B044C4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B11130	29_2_00007FF618B11130
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF9D28	29_2_00007FF618AF9D28
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0F8CC	29_2_00007FF618B0F8CC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFC908	29_2_00007FF618AFC908
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B01100	29_2_00007FF618B01100
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFACFC	29_2_00007FF618AFACFC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B06048	29_2_00007FF618B06048
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFE040	29_2_00007FF618AFE040
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB03C	29_2_00007FF618AFB03C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B11CB0	29_2_00007FF618B11CB0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0944C	29_2_00007FF618B0944C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1044C	29_2_00007FF618B1044C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0D054	29_2_00007FF618B0D054
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B04C80	29_2_00007FF618B04C80
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0A070	29_2_00007FF618B0A070
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B03A0	34_2_00007FF74A7B03A0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B2BD8	34_2_00007FF74A7B2BD8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B3718	34_2_00007FF74A7B3718
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B0CA8	34_2_00007FF74A7B0CA8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BC4D0	34_2_00007FF74A7BC4D0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A44E8	34_2_00007FF74A7A44E8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A3514	34_2_00007FF74A7A3514
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A3080	34_2_00007FF74A7A3080
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BB088	34_2_00007FF74A7BB088
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA1A0	34_2_00007FF74A7AA1A0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA5C8	34_2_00007FF74A7AA5C8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A8310	34_2_00007FF74A7A8310
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B4F10	34_2_00007FF74A7B4F10
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A6218	34_2_00007FF74A7A6218
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2321B80	36_2_00007FF6F2321B80
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2324600	36_2_00007FF6F2324600
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2328BC8	36_2_00007FF6F2328BC8
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2322CD0	36_2_00007FF6F2322CD0
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F23241D8	36_2_00007FF6F23241D8
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F23211E0	36_2_00007FF6F23211E0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D464DC	41_2_00007FF657D464DC
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D484C0	41_2_00007FF657D484C0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D4A858	41_2_00007FF657D4A858
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D48060	41_2_00007FF657D48060
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D35410	41_2_00007FF657D35410
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D477C0	41_2_00007FF657D477C0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D36B94	41_2_00007FF657D36B94
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D74320	41_2_00007FF657D74320
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D512E0	41_2_00007FF657D512E0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D34EC4	41_2_00007FF657D34EC4
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D4EAB4	41_2_00007FF657D4EAB4
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DC1690	41_2_00007FF657DC1690
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3DA8C	41_2_00007FF657D3DA8C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D4CE08	41_2_00007FF657D4CE08
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D435EC	41_2_00007FF657D435EC
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D48DF0	41_2_00007FF657D48DF0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D439A0	41_2_00007FF657D439A0

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC81CA8C appears 41 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC7DE9C4 appears 36 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC80D0A8 appears 57 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC7D3D44 appears 916 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC7D3B08 appears 48 times

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DFFE8 GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileInformationByHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,memset,GetFullPathNameW,HeapAlloc,RtlFreeHeap,_wcsicmp,FindClose,GetProcessHeap,HeapFree,GetLastError,GetLastError,NtSetInformationFile,RtlNtStatusToDosError,CloseHandle,SetFileAttributesW,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetProcessHeap,HeapFree,SetLastError,	24_2_00007FF7BC7DFFE8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A090 CreateFileW,GetLastError,GetProcessHeap,HeapAlloc,NtQueryInformationFile,NtOpenProcess,NtQueryInformationProcess,GetProcessHeap,HeapAlloc,NtQueryInformationProcess,NtClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,	24_2_00007FF7BC81A090
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A9C8 memset,CreateFileW,NtClose,	24_2_00007FF7BC81A9C8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A984 NtReadFile,	24_2_00007FF7BC81A984
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81AAFC GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,RtlImageNtHeader,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memset,WriteFile,GetLastError,GetProcessHeap,HeapFree,NtClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FlushFileBuffers,GetLastError,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,	24_2_00007FF7BC81AAFC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC819B58 memset,NtWriteFile,NtReadFile,NtWriteFile,NtWriteFile,NtWriteFile,	24_2_00007FF7BC819B58
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC855C64 NtShutdownSystem,InitiateSystemShutdownExW,GetLastError,	24_2_00007FF7BC855C64
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81C56C NtQuerySystemInformation,	24_2_00007FF7BC81C56C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D273C memset,memset,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapAlloc,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetEvent,NtPowerInformation,PowerCreateRequest,PowerSetRequest,PowerSetRequest,SetThreadExecutionState,memset,GetSystemWindowsDirectoryW,GetLastError,SetThreadExecutionState,PowerClearRequest,CloseHandle,SetEvent,GetProcessHeap,HeapFree,	24_2_00007FF7BC7D273C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84E3E0 memset,RtlGetVersion,GetCurrentProcess,SetPriorityClass,GetLastError,NtSetInformationProcess,NtSetInformationThread,NtSetInformationProcess,NtSetInformationThread,	24_2_00007FF7BC84E3E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC812350 memset,memset,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetLastError,SetLastError,memset,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,memset,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,memset,UuidCreate,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,	24_2_00007FF7BC812350
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A38C GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtSetInformationThread,	24_2_00007FF7BC81A38C

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC80FE20: SetLastError,GetProcessHeap,HeapAlloc,DeviceIoControl,GetLastError,GetProcessHeap,HeapFree,SetLastError,

24_2_00007FF7BC80FE20

Source: RecoveryDrive.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RecoveryDrive.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RecoveryDrive.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Magnify.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Magnify.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Magnify.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\explorer.exe

Section loaded: windows.globalization.dll

Jump to behavior

Source: A2qAaSVuU2.dll	Static PE information: Number of sections : 58 > 10
Source: DUI70.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: UxTheme.dll0.4.dr	Static PE information: Number of sections : 59 > 10
Source: Secur32.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: ReAgent.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: WINSTA.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: XmlLite.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: OLEACC.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: UxTheme.dll.4.dr	Static PE information: Number of sections : 59 > 10

Source: A2qAaSVuU2.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ReAgent.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Secur32.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: A2qAaSVuU2.dll	Virustotal: Detection: 64%
Source: A2qAaSVuU2.dll	Metadefender: Detection: 62%
Source: A2qAaSVuU2.dll	ReversingLabs: Detection: 84%

Source: A2qAaSVuU2.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RecoveryDrive.exe C:\Windows\system32\RecoveryDrive.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe C:\Users\user\AppData\Local\QiP6c\SndVol.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\EhStorAuthn.exe C:\Windows\system32\EhStorAuthn.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\VgY\mstsc.exe C:\Users\user\AppData\Local\VgY\mstsc.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RecoveryDrive.exe C:\Windows\system32\RecoveryDrive.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\EhStorAuthn.exe C:\Windows\system32\EhStorAuthn.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\VgY\mstsc.exe C:\Users\user\AppData\Local\VgY\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81CBF0 GetCurrentThread,OpenThreadToken,GetLastError,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SetLastError,	24_2_00007FF7BC81CBF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC816644 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,DuplicateTokenEx,GetLastError,AdjustTokenPrivileges,SetThreadToken,CloseHandle,CloseHandle,	24_2_00007FF7BC816644
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC811900 AdjustTokenPrivileges,GetLastError,CloseHandle,	24_2_00007FF7BC811900
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B16588 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,	29_2_00007FF618B16588

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@40/17@1/0

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F81424 GetCommandLineW,CommandLineToArgvW,_wcsicmp,_wcsicmp,CoInitialize,CoCreateInstance,memset,RegGetValueW,_wcsicmp,GetModuleHandleW,GetModuleHandleW,LoadStringW,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,new,free,GetMessageW,TranslateMessage,DispatchMessageW,GetMessageW,?Destroy@Element@DirectUI@@QEAAJ_N@Z,

21_2_00007FF727F81424

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC855070 FormatMessageW,GetLastError,LocalFree,SysFreeString,LeaveCriticalSection,

24_2_00007FF7BC855070

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{79834223-9b8b-fb74-ddfa-b0860ef73558}
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{e1b7b966-7536-5d87-307b-f7b104c280aa}

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F82128 LoadResource,LockResource,SizeofResource,

21_2_00007FF727F82128

Source: A2qAaSVuU2.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: A2qAaSVuU2.dll

Static file information: File size 2232320 > 1048576

Source: A2qAaSVuU2.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdbGCTL source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdbGCTL source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdb source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdb source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: SndVol.pdb source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140056A4D push rdi; ret

0_2_0000000140056A4E

Source: A2qAaSVuU2.dll	Static PE information: section name: .qkm
Source: A2qAaSVuU2.dll	Static PE information: section name: .cvjb
Source: A2qAaSVuU2.dll	Static PE information: section name: .tlmkv
Source: A2qAaSVuU2.dll	Static PE information: section name: .wucsxe
Source: A2qAaSVuU2.dll	Static PE information: section name: .fltwtj
Source: A2qAaSVuU2.dll	Static PE information: section name: .sfplio
Source: A2qAaSVuU2.dll	Static PE information: section name: .rpg
Source: A2qAaSVuU2.dll	Static PE information: section name: .bewzc
Source: A2qAaSVuU2.dll	Static PE information: section name: .vksvaw
Source: A2qAaSVuU2.dll	Static PE information: section name: .wmhg
Source: A2qAaSVuU2.dll	Static PE information: section name: .kswemc
Source: A2qAaSVuU2.dll	Static PE information: section name: .kaxfk
Source: A2qAaSVuU2.dll	Static PE information: section name: .wualk
Source: A2qAaSVuU2.dll	Static PE information: section name: .qdxz
Source: A2qAaSVuU2.dll	Static PE information: section name: .rkyg
Source: A2qAaSVuU2.dll	Static PE information: section name: .psul
Source: A2qAaSVuU2.dll	Static PE information: section name: .pyjm
Source: A2qAaSVuU2.dll	Static PE information: section name: .eoadme
Source: A2qAaSVuU2.dll	Static PE information: section name: .fnz
Source: A2qAaSVuU2.dll	Static PE information: section name: .gwheg
Source: A2qAaSVuU2.dll	Static PE information: section name: .fcd
Source: A2qAaSVuU2.dll	Static PE information: section name: .dwk
Source: A2qAaSVuU2.dll	Static PE information: section name: .hgy
Source: A2qAaSVuU2.dll	Static PE information: section name: .nfm
Source: A2qAaSVuU2.dll	Static PE information: section name: .qmfqd
Source: A2qAaSVuU2.dll	Static PE information: section name: .buzyfh
Source: A2qAaSVuU2.dll	Static PE information: section name: .towo
Source: A2qAaSVuU2.dll	Static PE information: section name: .omwdbg
Source: A2qAaSVuU2.dll	Static PE information: section name: .virw
Source: A2qAaSVuU2.dll	Static PE information: section name: .bck
Source: A2qAaSVuU2.dll	Static PE information: section name: .mbhfb
Source: A2qAaSVuU2.dll	Static PE information: section name: .kix
Source: A2qAaSVuU2.dll	Static PE information: section name: .gurzs
Source: A2qAaSVuU2.dll	Static PE information: section name: .dzdoj
Source: A2qAaSVuU2.dll	Static PE information: section name: .egret
Source: A2qAaSVuU2.dll	Static PE information: section name: .ftpyc
Source: A2qAaSVuU2.dll	Static PE information: section name: .qrc
Source: A2qAaSVuU2.dll	Static PE information: section name: .tnnx
Source: A2qAaSVuU2.dll	Static PE information: section name: .vsjhk
Source: A2qAaSVuU2.dll	Static PE information: section name: .fmswwe
Source: A2qAaSVuU2.dll	Static PE information: section name: .zfhn
Source: A2qAaSVuU2.dll	Static PE information: section name: .ejdgrp
Source: A2qAaSVuU2.dll	Static PE information: section name: .soyat
Source: A2qAaSVuU2.dll	Static PE information: section name: .jlil
Source: A2qAaSVuU2.dll	Static PE information: section name: .bojgf
Source: A2qAaSVuU2.dll	Static PE information: section name: .gvsnik
Source: A2qAaSVuU2.dll	Static PE information: section name: .lsc
Source: A2qAaSVuU2.dll	Static PE information: section name: .uepvem
Source: A2qAaSVuU2.dll	Static PE information: section name: .don
Source: A2qAaSVuU2.dll	Static PE information: section name: .dqju
Source: A2qAaSVuU2.dll	Static PE information: section name: .qmgrql
Source: A2qAaSVuU2.dll	Static PE information: section name: .cjrd
Source: SysResetErr.exe.4.dr	Static PE information: section name: .imrsiv
Source: MusNotificationUx.exe.4.dr	Static PE information: section name: .imrsiv
Source: MusNotificationUx.exe.4.dr	Static PE information: section name: .didat
Source: SndVol.exe.4.dr	Static PE information: section name: .imrsiv
Source: SndVol.exe.4.dr	Static PE information: section name: .didat
Source: mstsc.exe.4.dr	Static PE information: section name: .didat
Source: DisplaySwitch.exe.4.dr	Static PE information: section name: .imrsiv
Source: DUI70.dll.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.4.dr	Static PE information: section name: .wualk
Source: DUI70.dll.4.dr	Static PE information: section name: .qdxz
Source: DUI70.dll.4.dr	Static PE information: section name: .rkyg
Source: DUI70.dll.4.dr	Static PE information: section name: .psul
Source: DUI70.dll.4.dr	Static PE information: section name: .pyjm
Source: DUI70.dll.4.dr	Static PE information: section name: .eoadme
Source: DUI70.dll.4.dr	Static PE information: section name: .fnz
Source: DUI70.dll.4.dr	Static PE information: section name: .gwheg
Source: DUI70.dll.4.dr	Static PE information: section name: .fcd
Source: DUI70.dll.4.dr	Static PE information: section name: .dwk
Source: DUI70.dll.4.dr	Static PE information: section name: .hgy
Source: DUI70.dll.4.dr	Static PE information: section name: .nfm
Source: DUI70.dll.4.dr	Static PE information: section name: .qmfqd
Source: DUI70.dll.4.dr	Static PE information: section name: .buzyfh
Source: DUI70.dll.4.dr	Static PE information: section name: .towo
Source: DUI70.dll.4.dr	Static PE information: section name: .omwdbg
Source: DUI70.dll.4.dr	Static PE information: section name: .virw
Source: DUI70.dll.4.dr	Static PE information: section name: .bck
Source: DUI70.dll.4.dr	Static PE information: section name: .mbhfb
Source: DUI70.dll.4.dr	Static PE information: section name: .kix
Source: DUI70.dll.4.dr	Static PE information: section name: .gurzs
Source: DUI70.dll.4.dr	Static PE information: section name: .dzdoj
Source: DUI70.dll.4.dr	Static PE information: section name: .egret
Source: DUI70.dll.4.dr	Static PE information: section name: .ftpyc
Source: DUI70.dll.4.dr	Static PE information: section name: .qrc
Source: DUI70.dll.4.dr	Static PE information: section name: .tnnx
Source: DUI70.dll.4.dr	Static PE information: section name: .vsjhk
Source: DUI70.dll.4.dr	Static PE information: section name: .fmswwe
Source: DUI70.dll.4.dr	Static PE information: section name: .zfhn
Source: DUI70.dll.4.dr	Static PE information: section name: .ejdgrp
Source: DUI70.dll.4.dr	Static PE information: section name: .soyat
Source: DUI70.dll.4.dr	Static PE information: section name: .jlil
Source: DUI70.dll.4.dr	Static PE information: section name: .bojgf
Source: DUI70.dll.4.dr	Static PE information: section name: .gvsnik
Source: DUI70.dll.4.dr	Static PE information: section name: .lsc
Source: DUI70.dll.4.dr	Static PE information: section name: .uepvem
Source: DUI70.dll.4.dr	Static PE information: section name: .don
Source: DUI70.dll.4.dr	Static PE information: section name: .dqju
Source: DUI70.dll.4.dr	Static PE information: section name: .qmgrql
Source: DUI70.dll.4.dr	Static PE information: section name: .cjrd
Source: DUI70.dll.4.dr	Static PE information: section name: .qnro
Source: ReAgent.dll.4.dr	Static PE information: section name: .qkm
Source: ReAgent.dll.4.dr	Static PE information: section name: .cvjb
Source: ReAgent.dll.4.dr	Static PE information: section name: .tlmkv
Source: ReAgent.dll.4.dr	Static PE information: section name: .wucsxe
Source: ReAgent.dll.4.dr	Static PE information: section name: .fltwtj
Source: ReAgent.dll.4.dr	Static PE information: section name: .sfplio
Source: ReAgent.dll.4.dr	Static PE information: section name: .rpg
Source: ReAgent.dll.4.dr	Static PE information: section name: .bewzc
Source: ReAgent.dll.4.dr	Static PE information: section name: .vksvaw
Source: ReAgent.dll.4.dr	Static PE information: section name: .wmhg
Source: ReAgent.dll.4.dr	Static PE information: section name: .kswemc
Source: ReAgent.dll.4.dr	Static PE information: section name: .kaxfk
Source: ReAgent.dll.4.dr	Static PE information: section name: .wualk
Source: ReAgent.dll.4.dr	Static PE information: section name: .qdxz
Source: ReAgent.dll.4.dr	Static PE information: section name: .rkyg
Source: ReAgent.dll.4.dr	Static PE information: section name: .psul
Source: ReAgent.dll.4.dr	Static PE information: section name: .pyjm
Source: ReAgent.dll.4.dr	Static PE information: section name: .eoadme
Source: ReAgent.dll.4.dr	Static PE information: section name: .fnz
Source: ReAgent.dll.4.dr	Static PE information: section name: .gwheg
Source: ReAgent.dll.4.dr	Static PE information: section name: .fcd
Source: ReAgent.dll.4.dr	Static PE information: section name: .dwk
Source: ReAgent.dll.4.dr	Static PE information: section name: .hgy
Source: ReAgent.dll.4.dr	Static PE information: section name: .nfm
Source: ReAgent.dll.4.dr	Static PE information: section name: .qmfqd
Source: ReAgent.dll.4.dr	Static PE information: section name: .buzyfh
Source: ReAgent.dll.4.dr	Static PE information: section name: .towo
Source: ReAgent.dll.4.dr	Static PE information: section name: .omwdbg
Source: ReAgent.dll.4.dr	Static PE information: section name: .virw
Source: ReAgent.dll.4.dr	Static PE information: section name: .bck
Source: ReAgent.dll.4.dr	Static PE information: section name: .mbhfb
Source: ReAgent.dll.4.dr	Static PE information: section name: .kix
Source: ReAgent.dll.4.dr	Static PE information: section name: .gurzs
Source: ReAgent.dll.4.dr	Static PE information: section name: .dzdoj
Source: ReAgent.dll.4.dr	Static PE information: section name: .egret
Source: ReAgent.dll.4.dr	Static PE information: section name: .ftpyc
Source: ReAgent.dll.4.dr	Static PE information: section name: .qrc
Source: ReAgent.dll.4.dr	Static PE information: section name: .tnnx
Source: ReAgent.dll.4.dr	Static PE information: section name: .vsjhk
Source: ReAgent.dll.4.dr	Static PE information: section name: .fmswwe
Source: ReAgent.dll.4.dr	Static PE information: section name: .zfhn
Source: ReAgent.dll.4.dr	Static PE information: section name: .ejdgrp
Source: ReAgent.dll.4.dr	Static PE information: section name: .soyat
Source: ReAgent.dll.4.dr	Static PE information: section name: .jlil
Source: ReAgent.dll.4.dr	Static PE information: section name: .bojgf
Source: ReAgent.dll.4.dr	Static PE information: section name: .gvsnik
Source: ReAgent.dll.4.dr	Static PE information: section name: .lsc
Source: ReAgent.dll.4.dr	Static PE information: section name: .uepvem
Source: ReAgent.dll.4.dr	Static PE information: section name: .don
Source: ReAgent.dll.4.dr	Static PE information: section name: .dqju
Source: ReAgent.dll.4.dr	Static PE information: section name: .qmgrql
Source: ReAgent.dll.4.dr	Static PE information: section name: .cjrd
Source: ReAgent.dll.4.dr	Static PE information: section name: .lkgno
Source: XmlLite.dll.4.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.4.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.4.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.4.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.4.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.4.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.4.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.4.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.4.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.4.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.4.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.4.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.4.dr	Static PE information: section name: .wualk
Source: XmlLite.dll.4.dr	Static PE information: section name: .qdxz
Source: XmlLite.dll.4.dr	Static PE information: section name: .rkyg
Source: XmlLite.dll.4.dr	Static PE information: section name: .psul
Source: XmlLite.dll.4.dr	Static PE information: section name: .pyjm
Source: XmlLite.dll.4.dr	Static PE information: section name: .eoadme
Source: XmlLite.dll.4.dr	Static PE information: section name: .fnz
Source: XmlLite.dll.4.dr	Static PE information: section name: .gwheg
Source: XmlLite.dll.4.dr	Static PE information: section name: .fcd
Source: XmlLite.dll.4.dr	Static PE information: section name: .dwk
Source: XmlLite.dll.4.dr	Static PE information: section name: .hgy
Source: XmlLite.dll.4.dr	Static PE information: section name: .nfm
Source: XmlLite.dll.4.dr	Static PE information: section name: .qmfqd
Source: XmlLite.dll.4.dr	Static PE information: section name: .buzyfh
Source: XmlLite.dll.4.dr	Static PE information: section name: .towo
Source: XmlLite.dll.4.dr	Static PE information: section name: .omwdbg
Source: XmlLite.dll.4.dr	Static PE information: section name: .virw
Source: XmlLite.dll.4.dr	Static PE information: section name: .bck
Source: XmlLite.dll.4.dr	Static PE information: section name: .mbhfb
Source: XmlLite.dll.4.dr	Static PE information: section name: .kix
Source: XmlLite.dll.4.dr	Static PE information: section name: .gurzs
Source: XmlLite.dll.4.dr	Static PE information: section name: .dzdoj
Source: XmlLite.dll.4.dr	Static PE information: section name: .egret
Source: XmlLite.dll.4.dr	Static PE information: section name: .ftpyc
Source: XmlLite.dll.4.dr	Static PE information: section name: .qrc
Source: XmlLite.dll.4.dr	Static PE information: section name: .tnnx
Source: XmlLite.dll.4.dr	Static PE information: section name: .vsjhk
Source: XmlLite.dll.4.dr	Static PE information: section name: .fmswwe
Source: XmlLite.dll.4.dr	Static PE information: section name: .zfhn
Source: XmlLite.dll.4.dr	Static PE information: section name: .ejdgrp
Source: XmlLite.dll.4.dr	Static PE information: section name: .soyat
Source: XmlLite.dll.4.dr	Static PE information: section name: .jlil
Source: XmlLite.dll.4.dr	Static PE information: section name: .bojgf
Source: XmlLite.dll.4.dr	Static PE information: section name: .gvsnik
Source: XmlLite.dll.4.dr	Static PE information: section name: .lsc
Source: XmlLite.dll.4.dr	Static PE information: section name: .uepvem
Source: XmlLite.dll.4.dr	Static PE information: section name: .don
Source: XmlLite.dll.4.dr	Static PE information: section name: .dqju
Source: XmlLite.dll.4.dr	Static PE information: section name: .qmgrql
Source: XmlLite.dll.4.dr	Static PE information: section name: .cjrd
Source: XmlLite.dll.4.dr	Static PE information: section name: .rntf
Source: UxTheme.dll.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll.4.dr	Static PE information: section name: .wualk
Source: UxTheme.dll.4.dr	Static PE information: section name: .qdxz
Source: UxTheme.dll.4.dr	Static PE information: section name: .rkyg
Source: UxTheme.dll.4.dr	Static PE information: section name: .psul
Source: UxTheme.dll.4.dr	Static PE information: section name: .pyjm
Source: UxTheme.dll.4.dr	Static PE information: section name: .eoadme
Source: UxTheme.dll.4.dr	Static PE information: section name: .fnz
Source: UxTheme.dll.4.dr	Static PE information: section name: .gwheg
Source: UxTheme.dll.4.dr	Static PE information: section name: .fcd
Source: UxTheme.dll.4.dr	Static PE information: section name: .dwk
Source: UxTheme.dll.4.dr	Static PE information: section name: .hgy
Source: UxTheme.dll.4.dr	Static PE information: section name: .nfm
Source: UxTheme.dll.4.dr	Static PE information: section name: .qmfqd
Source: UxTheme.dll.4.dr	Static PE information: section name: .buzyfh
Source: UxTheme.dll.4.dr	Static PE information: section name: .towo
Source: UxTheme.dll.4.dr	Static PE information: section name: .omwdbg
Source: UxTheme.dll.4.dr	Static PE information: section name: .virw
Source: UxTheme.dll.4.dr	Static PE information: section name: .bck
Source: UxTheme.dll.4.dr	Static PE information: section name: .mbhfb
Source: UxTheme.dll.4.dr	Static PE information: section name: .kix
Source: UxTheme.dll.4.dr	Static PE information: section name: .gurzs
Source: UxTheme.dll.4.dr	Static PE information: section name: .dzdoj
Source: UxTheme.dll.4.dr	Static PE information: section name: .egret
Source: UxTheme.dll.4.dr	Static PE information: section name: .ftpyc
Source: UxTheme.dll.4.dr	Static PE information: section name: .qrc
Source: UxTheme.dll.4.dr	Static PE information: section name: .tnnx
Source: UxTheme.dll.4.dr	Static PE information: section name: .vsjhk
Source: UxTheme.dll.4.dr	Static PE information: section name: .fmswwe
Source: UxTheme.dll.4.dr	Static PE information: section name: .zfhn
Source: UxTheme.dll.4.dr	Static PE information: section name: .ejdgrp
Source: UxTheme.dll.4.dr	Static PE information: section name: .soyat
Source: UxTheme.dll.4.dr	Static PE information: section name: .jlil
Source: UxTheme.dll.4.dr	Static PE information: section name: .bojgf
Source: UxTheme.dll.4.dr	Static PE information: section name: .gvsnik
Source: UxTheme.dll.4.dr	Static PE information: section name: .lsc
Source: UxTheme.dll.4.dr	Static PE information: section name: .uepvem
Source: UxTheme.dll.4.dr	Static PE information: section name: .don
Source: UxTheme.dll.4.dr	Static PE information: section name: .dqju
Source: UxTheme.dll.4.dr	Static PE information: section name: .qmgrql
Source: UxTheme.dll.4.dr	Static PE information: section name: .cjrd
Source: UxTheme.dll.4.dr	Static PE information: section name: .voxunw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll0.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wualk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qdxz
Source: UxTheme.dll0.4.dr	Static PE information: section name: .rkyg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .psul
Source: UxTheme.dll0.4.dr	Static PE information: section name: .pyjm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .eoadme
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fnz
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gwheg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fcd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dwk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .hgy
Source: UxTheme.dll0.4.dr	Static PE information: section name: .nfm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qmfqd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .buzyfh
Source: UxTheme.dll0.4.dr	Static PE information: section name: .towo
Source: UxTheme.dll0.4.dr	Static PE information: section name: .omwdbg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .virw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bck
Source: UxTheme.dll0.4.dr	Static PE information: section name: .mbhfb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kix
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gurzs
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dzdoj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .egret
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ftpyc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qrc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .tnnx
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vsjhk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fmswwe
Source: UxTheme.dll0.4.dr	Static PE information: section name: .zfhn
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ejdgrp
Source: UxTheme.dll0.4.dr	Static PE information: section name: .soyat
Source: UxTheme.dll0.4.dr	Static PE information: section name: .jlil
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bojgf
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gvsnik
Source: UxTheme.dll0.4.dr	Static PE information: section name: .lsc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .uepvem
Source: UxTheme.dll0.4.dr	Static PE information: section name: .don
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dqju
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qmgrql
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cjrd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .alzpqi
Source: Secur32.dll.4.dr	Static PE information: section name: .qkm
Source: Secur32.dll.4.dr	Static PE information: section name: .cvjb
Source: Secur32.dll.4.dr	Static PE information: section name: .tlmkv
Source: Secur32.dll.4.dr	Static PE information: section name: .wucsxe
Source: Secur32.dll.4.dr	Static PE information: section name: .fltwtj
Source: Secur32.dll.4.dr	Static PE information: section name: .sfplio
Source: Secur32.dll.4.dr	Static PE information: section name: .rpg
Source: Secur32.dll.4.dr	Static PE information: section name: .bewzc
Source: Secur32.dll.4.dr	Static PE information: section name: .vksvaw
Source: Secur32.dll.4.dr	Static PE information: section name: .wmhg
Source: Secur32.dll.4.dr	Static PE information: section name: .kswemc
Source: Secur32.dll.4.dr	Static PE information: section name: .kaxfk
Source: Secur32.dll.4.dr	Static PE information: section name: .wualk
Source: Secur32.dll.4.dr	Static PE information: section name: .qdxz
Source: Secur32.dll.4.dr	Static PE information: section name: .rkyg
Source: Secur32.dll.4.dr	Static PE information: section name: .psul
Source: Secur32.dll.4.dr	Static PE information: section name: .pyjm
Source: Secur32.dll.4.dr	Static PE information: section name: .eoadme
Source: Secur32.dll.4.dr	Static PE information: section name: .fnz
Source: Secur32.dll.4.dr	Static PE information: section name: .gwheg
Source: Secur32.dll.4.dr	Static PE information: section name: .fcd
Source: Secur32.dll.4.dr	Static PE information: section name: .dwk
Source: Secur32.dll.4.dr	Static PE information: section name: .hgy
Source: Secur32.dll.4.dr	Static PE information: section name: .nfm
Source: Secur32.dll.4.dr	Static PE information: section name: .qmfqd
Source: Secur32.dll.4.dr	Static PE information: section name: .buzyfh
Source: Secur32.dll.4.dr	Static PE information: section name: .towo
Source: Secur32.dll.4.dr	Static PE information: section name: .omwdbg
Source: Secur32.dll.4.dr	Static PE information: section name: .virw
Source: Secur32.dll.4.dr	Static PE information: section name: .bck
Source: Secur32.dll.4.dr	Static PE information: section name: .mbhfb
Source: Secur32.dll.4.dr	Static PE information: section name: .kix
Source: Secur32.dll.4.dr	Static PE information: section name: .gurzs
Source: Secur32.dll.4.dr	Static PE information: section name: .dzdoj
Source: Secur32.dll.4.dr	Static PE information: section name: .egret
Source: Secur32.dll.4.dr	Static PE information: section name: .ftpyc
Source: Secur32.dll.4.dr	Static PE information: section name: .qrc
Source: Secur32.dll.4.dr	Static PE information: section name: .tnnx
Source: Secur32.dll.4.dr	Static PE information: section name: .vsjhk
Source: Secur32.dll.4.dr	Static PE information: section name: .fmswwe
Source: Secur32.dll.4.dr	Static PE information: section name: .zfhn
Source: Secur32.dll.4.dr	Static PE information: section name: .ejdgrp
Source: Secur32.dll.4.dr	Static PE information: section name: .soyat
Source: Secur32.dll.4.dr	Static PE information: section name: .jlil
Source: Secur32.dll.4.dr	Static PE information: section name: .bojgf
Source: Secur32.dll.4.dr	Static PE information: section name: .gvsnik
Source: Secur32.dll.4.dr	Static PE information: section name: .lsc
Source: Secur32.dll.4.dr	Static PE information: section name: .uepvem
Source: Secur32.dll.4.dr	Static PE information: section name: .don
Source: Secur32.dll.4.dr	Static PE information: section name: .dqju
Source: Secur32.dll.4.dr	Static PE information: section name: .qmgrql
Source: Secur32.dll.4.dr	Static PE information: section name: .cjrd
Source: Secur32.dll.4.dr	Static PE information: section name: .gfkt
Source: WINSTA.dll.4.dr	Static PE information: section name: .qkm
Source: WINSTA.dll.4.dr	Static PE information: section name: .cvjb
Source: WINSTA.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINSTA.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINSTA.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINSTA.dll.4.dr	Static PE information: section name: .sfplio
Source: WINSTA.dll.4.dr	Static PE information: section name: .rpg
Source: WINSTA.dll.4.dr	Static PE information: section name: .bewzc
Source: WINSTA.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINSTA.dll.4.dr	Static PE information: section name: .wmhg
Source: WINSTA.dll.4.dr	Static PE information: section name: .kswemc
Source: WINSTA.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINSTA.dll.4.dr	Static PE information: section name: .wualk
Source: WINSTA.dll.4.dr	Static PE information: section name: .qdxz
Source: WINSTA.dll.4.dr	Static PE information: section name: .rkyg
Source: WINSTA.dll.4.dr	Static PE information: section name: .psul
Source: WINSTA.dll.4.dr	Static PE information: section name: .pyjm
Source: WINSTA.dll.4.dr	Static PE information: section name: .eoadme
Source: WINSTA.dll.4.dr	Static PE information: section name: .fnz
Source: WINSTA.dll.4.dr	Static PE information: section name: .gwheg
Source: WINSTA.dll.4.dr	Static PE information: section name: .fcd
Source: WINSTA.dll.4.dr	Static PE information: section name: .dwk
Source: WINSTA.dll.4.dr	Static PE information: section name: .hgy
Source: WINSTA.dll.4.dr	Static PE information: section name: .nfm
Source: WINSTA.dll.4.dr	Static PE information: section name: .qmfqd
Source: WINSTA.dll.4.dr	Static PE information: section name: .buzyfh
Source: WINSTA.dll.4.dr	Static PE information: section name: .towo
Source: WINSTA.dll.4.dr	Static PE information: section name: .omwdbg
Source: WINSTA.dll.4.dr	Static PE information: section name: .virw
Source: WINSTA.dll.4.dr	Static PE information: section name: .bck
Source: WINSTA.dll.4.dr	Static PE information: section name: .mbhfb
Source: WINSTA.dll.4.dr	Static PE information: section name: .kix
Source: WINSTA.dll.4.dr	Static PE information: section name: .gurzs
Source: WINSTA.dll.4.dr	Static PE information: section name: .dzdoj
Source: WINSTA.dll.4.dr	Static PE information: section name: .egret
Source: WINSTA.dll.4.dr	Static PE information: section name: .ftpyc
Source: WINSTA.dll.4.dr	Static PE information: section name: .qrc
Source: WINSTA.dll.4.dr	Static PE information: section name: .tnnx
Source: WINSTA.dll.4.dr	Static PE information: section name: .vsjhk
Source: WINSTA.dll.4.dr	Static PE information: section name: .fmswwe
Source: WINSTA.dll.4.dr	Static PE information: section name: .zfhn
Source: WINSTA.dll.4.dr	Static PE information: section name: .ejdgrp
Source: WINSTA.dll.4.dr	Static PE information: section name: .soyat
Source: WINSTA.dll.4.dr	Static PE information: section name: .jlil
Source: WINSTA.dll.4.dr	Static PE information: section name: .bojgf
Source: WINSTA.dll.4.dr	Static PE information: section name: .gvsnik
Source: WINSTA.dll.4.dr	Static PE information: section name: .lsc
Source: WINSTA.dll.4.dr	Static PE information: section name: .uepvem
Source: WINSTA.dll.4.dr	Static PE information: section name: .don
Source: WINSTA.dll.4.dr	Static PE information: section name: .dqju
Source: WINSTA.dll.4.dr	Static PE information: section name: .qmgrql
Source: WINSTA.dll.4.dr	Static PE information: section name: .cjrd
Source: WINSTA.dll.4.dr	Static PE information: section name: .tfmzf
Source: OLEACC.dll.4.dr	Static PE information: section name: .qkm
Source: OLEACC.dll.4.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll.4.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll.4.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll.4.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll.4.dr	Static PE information: section name: .sfplio
Source: OLEACC.dll.4.dr	Static PE information: section name: .rpg
Source: OLEACC.dll.4.dr	Static PE information: section name: .bewzc
Source: OLEACC.dll.4.dr	Static PE information: section name: .vksvaw
Source: OLEACC.dll.4.dr	Static PE information: section name: .wmhg
Source: OLEACC.dll.4.dr	Static PE information: section name: .kswemc
Source: OLEACC.dll.4.dr	Static PE information: section name: .kaxfk
Source: OLEACC.dll.4.dr	Static PE information: section name: .wualk
Source: OLEACC.dll.4.dr	Static PE information: section name: .qdxz
Source: OLEACC.dll.4.dr	Static PE information: section name: .rkyg
Source: OLEACC.dll.4.dr	Static PE information: section name: .psul
Source: OLEACC.dll.4.dr	Static PE information: section name: .pyjm
Source: OLEACC.dll.4.dr	Static PE information: section name: .eoadme
Source: OLEACC.dll.4.dr	Static PE information: section name: .fnz
Source: OLEACC.dll.4.dr	Static PE information: section name: .gwheg
Source: OLEACC.dll.4.dr	Static PE information: section name: .fcd
Source: OLEACC.dll.4.dr	Static PE information: section name: .dwk
Source: OLEACC.dll.4.dr	Static PE information: section name: .hgy
Source: OLEACC.dll.4.dr	Static PE information: section name: .nfm
Source: OLEACC.dll.4.dr	Static PE information: section name: .qmfqd
Source: OLEACC.dll.4.dr	Static PE information: section name: .buzyfh
Source: OLEACC.dll.4.dr	Static PE information: section name: .towo
Source: OLEACC.dll.4.dr	Static PE information: section name: .omwdbg
Source: OLEACC.dll.4.dr	Static PE information: section name: .virw
Source: OLEACC.dll.4.dr	Static PE information: section name: .bck
Source: OLEACC.dll.4.dr	Static PE information: section name: .mbhfb
Source: OLEACC.dll.4.dr	Static PE information: section name: .kix
Source: OLEACC.dll.4.dr	Static PE information: section name: .gurzs
Source: OLEACC.dll.4.dr	Static PE information: section name: .dzdoj
Source: OLEACC.dll.4.dr	Static PE information: section name: .egret
Source: OLEACC.dll.4.dr	Static PE information: section name: .ftpyc
Source: OLEACC.dll.4.dr	Static PE information: section name: .qrc
Source: OLEACC.dll.4.dr	Static PE information: section name: .tnnx
Source: OLEACC.dll.4.dr	Static PE information: section name: .vsjhk
Source: OLEACC.dll.4.dr	Static PE information: section name: .fmswwe
Source: OLEACC.dll.4.dr	Static PE information: section name: .zfhn
Source: OLEACC.dll.4.dr	Static PE information: section name: .ejdgrp
Source: OLEACC.dll.4.dr	Static PE information: section name: .soyat
Source: OLEACC.dll.4.dr	Static PE information: section name: .jlil
Source: OLEACC.dll.4.dr	Static PE information: section name: .bojgf
Source: OLEACC.dll.4.dr	Static PE information: section name: .gvsnik
Source: OLEACC.dll.4.dr	Static PE information: section name: .lsc
Source: OLEACC.dll.4.dr	Static PE information: section name: .uepvem
Source: OLEACC.dll.4.dr	Static PE information: section name: .don
Source: OLEACC.dll.4.dr	Static PE information: section name: .dqju
Source: OLEACC.dll.4.dr	Static PE information: section name: .qmgrql
Source: OLEACC.dll.4.dr	Static PE information: section name: .cjrd
Source: OLEACC.dll.4.dr	Static PE information: section name: .pfd

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe

Code function: 41_2_00007FF657DAE0FC LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

41_2_00007FF657DAE0FC

Source: A2qAaSVuU2.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x223a17
Source: DUI70.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x271ee0
Source: UxTheme.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x228f66
Source: Secur32.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2279c4
Source: ReAgent.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22a27a
Source: WINSTA.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22fc17
Source: XmlLite.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2290e6
Source: OLEACC.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22356c
Source: UxTheme.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2261cf

Source: MusNotificationUx.exe.4.dr

Static PE information: 0x6655844F [Tue May 28 07:14:23 2024 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VgY\Secur32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VgY\mstsc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r1aQ\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D404F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,	41_2_00007FF657D404F8
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D42884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,	41_2_00007FF657D42884
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D42F5C IsWindowVisible,IsIconic,	41_2_00007FF657D42F5C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D41B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,	41_2_00007FF657D41B44
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,	41_2_00007FF657D3CF28
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D39A6C IsIconic,GetWindowPlacement,GetWindowRect,	41_2_00007FF657D39A6C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3CE48 IsIconic,GetWindowPlacement,GetLastError,	41_2_00007FF657D3CE48
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D439A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,	41_2_00007FF657D439A0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,	41_2_00007FF657D3F5A4
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DBC560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,	41_2_00007FF657DBC560

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC81613C memset,memset,GetSystemDirectoryW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

24_2_00007FF7BC81613C

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe TID: 1392

Thread sleep count: 33 > 30

Jump to behavior

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8351F4 GetSystemTimeAsFileTime followed by cmp: cmp r9d, 01h and CTI: je 00007FF7BC835362h	24_2_00007FF7BC8351F4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7410 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rsp+20h], 03h and CTI: jne 00007FF7BC7D762Ch	24_2_00007FF7BC7D7410
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFF360 GetLocalTime followed by cmp: cmp r14d, 02h and CTI: jne 00007FF618AFF436h	29_2_00007FF618AFF360

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC80B77C SetErrorMode,SetupDiGetClassDevsW,GetLastError,memset,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,GetLastError,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetupDiGetDeviceInterfaceDetailW,memset,SetupDiEnumDeviceInterfaces,GetLastError,SetErrorMode,GetProcessHeap,HeapFree,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,

24_2_00007FF7BC80B77C

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4E28 GetFileAttributesW,GetLastError,memset,FindFirstFileW,GetLastError,FindClose,GetProcessHeap,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,CloseHandle,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F4E28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80E958 free,memset,FindFirstFileW,GetLastError,GetLastError,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	24_2_00007FF7BC80E958
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC810638 memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,	24_2_00007FF7BC810638
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F57FC memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetVolumeInformationW,memset,FindFirstFileW,GetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F57FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6718 WIMCreateFile,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WIMCloseHandle,WIMCloseHandle,memset,WIMGetAttributes,GetLastError,memset,GetFullPathNameW,GetLastError,memset,FindFirstFileW,GetLastError,GetProcessHeap,HeapFree,WIMCreateFile,WIMCloseHandle,memset,WIMGetAttributes,FindNextFileW,GetLastError,GetLastError,GetLastError,	24_2_00007FF7BC7F6718
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E21CC GetProcessHeap,HeapFree,GetFileAttributesW,GetLastError,GetProcessHeap,HeapFree,_wcsicmp,GetProcessHeap,HeapFree,FindClose,FindFirstFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,memmove,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7E21CC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC815458 memset,memset,memset,memset,FindFirstFileW,CompareStringW,CompareStringW,memset,FindNextFileW,FindClose,CoTaskMemFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC815458
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	29_2_00007FF618B1A104

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC7DB29C

Source: explorer.exe, 00000004.00000000.266212445.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.302594165.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir""
Source: explorer.exe, 00000004.00000000.272328344.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.303493974.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC7D4028 IsDebuggerPresent,GetCurrentThreadId,GetCurrentThreadId,OutputDebugStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

24_2_00007FF7BC7D4028

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F82940 _cwprintf_s_l,OutputDebugStringW,GetLastError,CurrentIP,WdsSetupLogMessageW,

21_2_00007FF727F82940

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe

Code function: 41_2_00007FF657DAE0FC LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

41_2_00007FF657DAE0FC

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F81090 GetProcessHeap,

21_2_00007FF727F81090

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Code function: 21_2_00007FF727F83C80 SetUnhandledExceptionFilter,	21_2_00007FF727F83C80
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Code function: 21_2_00007FF727F83F04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF727F83F04
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC85864C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF7BC85864C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8583E0 SetUnhandledExceptionFilter,	24_2_00007FF7BC8583E0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B14AC0 SetUnhandledExceptionFilter,	29_2_00007FF618B14AC0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B14768 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00007FF618B14768
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BF2E0 SetUnhandledExceptionFilter,	34_2_00007FF74A7BF2E0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00007FF74A7BEE40
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F232A2B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00007FF6F232A2B0
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F232A4B0 SetUnhandledExceptionFilter,	36_2_00007FF6F232A4B0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657E52264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_00007FF657E52264

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: DUI70.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Contains functionality to automate explorer (e.g. start an application)

Show sources

Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,		34_2_00007FF74A7AA5C8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,		34_2_00007FF74A7AA5C8

Uses Atom Bombing / ProGate to inject into other processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe

Code function: 36_2_00007FF6F2326264 memset,memset,#345,DialogBoxParamW,DialogBoxParamW,Sleep,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,LoadStringW,LoadStringW,LoadStringW,#344,

36_2_00007FF6F2326264

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC855D8C AllocateAndInitializeSid,GetLastError,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,CreateFileW,SetSecurityInfo,CloseHandle,GetProcessHeap,HeapFree,FreeSid,GetProcessHeap,HeapFree,

24_2_00007FF7BC855D8C

Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp, SndVol.exe	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.300560024.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp	Binary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Queries volume information: unknown VolumeInformation

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: memset,memset,GetLocaleInfoW,GetLastError,wcstoul,GetLocaleInfoW,GetLastError,GetNumberFormatW,GetLastError,GetProcessHeap,HeapAlloc,GetNumberFormatW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		24_2_00007FF7BC7DCA0C
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free,		34_2_00007FF74A7B9EF4

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC80B77C

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F83E10 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

21_2_00007FF727F83E10

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC7D4344 GetTimeZoneInformation,GetLastError,GetSystemTime,SystemTimeToTzSpecificLocalTime,

24_2_00007FF7BC7D4344

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC80BB70 memset,RtlGetVersion,SetErrorMode,SetupDiGetClassDevsW,GetLastError,memset,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,GetLastError,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetupDiGetDeviceInterfaceDetailW,memset,SetupDiGetDeviceInterfacePropertyW,GetLastError,CreateFileW,GetLastError,DeviceIoControl,GetProcessHeap,HeapAlloc,DeviceIoControl,GetLastError,GetLastError,SetErrorMode,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,

24_2_00007FF7BC80BB70

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information1	OS Credential Dumping	System Time Discovery12	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Exploitation for Client Execution1	Application Shimming1	DLL Side-Loading1	Obfuscated Files or Information3	LSASS Memory	Peripheral Device Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	System Shutdown/Reboot1
Domain Accounts	At (Linux)	Logon Script (Windows)	Application Shimming1	Software Packing2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Access Token Manipulation1	Timestomp1	NTDS	System Information Discovery45	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection312	DLL Side-Loading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Security Software Discovery31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion1	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection312	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
A2qAaSVuU2.dll	65%	Virustotal		Browse
A2qAaSVuU2.dll	63%	Metadefender		Browse
A2qAaSVuU2.dll	84%	ReversingLabs	Win64.Infostealer.Dridex
A2qAaSVuU2.dll	100%	Avira	HEUR/AGEN.1114452
A2qAaSVuU2.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\VgY\Secur32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\VgY\Secur32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
24.2.RecoveryDrive.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.2.EhStorAuthn.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
21.2.SysResetErr.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
41.2.mstsc.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
29.2.MusNotificationUx.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
34.2.SndVol.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll64.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.micro	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
clientconfig.passport.net	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.micro	SndVol.exe, 00000020.00000002.447751833.000002C464AA0000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492853
Start date:	29.09.2021
Start time:	03:36:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	A2qAaSVuU2 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@40/17@1/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 29.1% (good quality ratio 16.8%) Quality average: 40.6% Quality standard deviation: 40.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.54.113.104, 13.107.4.52, 184.24.3.140, 20.190.159.133, 40.126.31.7, 20.190.159.137, 40.126.31.3, 20.190.159.135, 40.126.31.5, 40.126.31.138, 40.126.31.2, 23.54.113.45, 20.49.157.6, 20.190.159.131, 40.126.31.140, 40.126.31.142, 184.24.20.248, 184.24.21.10, 204.79.197.200, 13.107.21.200, 23.54.113.53, 20.82.210.154, 23.10.249.43, 23.10.249.26, 40.112.88.60 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, msagfx.live.com-6.edgekey.net, e12564.dspb.akamaiedge.net, authgfx.msa.akadns6.net, go.microsoft.com, wildcard.weather.microsoft.com.edgekey.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, www.msftconnecttest.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, www.tm.a.prd.aadg.akadns.net, v4ncsi.msedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, 4-c-0003.c-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, go.microsoft.com.edgekey.net, ncsi.4-c-0003.c-msedge.net, e16646.dscg.akamaiedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2236416
Entropy (8bit):	3.4118132531393357
Encrypted:	false
SSDEEP:	12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	FC9474302D7FD9538FC834CE63E1FD5C
SHA1:	290D8D20C7815ABC8918D60E44A9BF9BE063FDE1
SHA-256:	D7F76A8DB8CD5CBD47B91536221521A44BF8DD57E72EDF8C9239EB32F6165CCB
SHA-512:	01EBF58C36BB74763D7AB3D62AF275F35719EF0CC2CDFD742D113714C12130D614F4FBC8EDABAF9962580DE13025FE08BAEF4C435BAD242F8C979318D134247E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	877568
Entropy (8bit):	6.084247719186399
Encrypted:	false
SSDEEP:	12288:T9kJ4nbQXm4cVAyCSJLk1aciuMkTzOqUx6cl+RjJSzb0fK:T9k+N9CSJuah1cSqfC+RaYf
MD5:	2228E677678848E2FC693199947715E7
SHA1:	7AA34AC0938585EEFA9E0ABC80CCBD4E17651173
SHA-256:	9041F1AF7FD9A065B6C69D6CDF95F6FF939BF224C040816A0646540E145B73FF
SHA-512:	9B69EB763BC90FA8FE495FD1EA953276D68B8648737F209B98E777651AA89ABA4CE6449093B3E4C02B4350FF75AF508C05E6371D847279775993ABA04EFF950E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].t...t...t.......t.......t.......t.......t.......t...t..gu.......t.......t.......t..Rich.t..........................PE..d...c.]..........".................@..........@.....................................u....`.......... ..........................................p....@...]......./..............@.......T...............................................`............................text............................... ..`.rdata..N........ ..................@..@.data.... ..........................@....pdata.../.......0..................@..@.rsrc....]...@...^..................@..@.reloc..@............\..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2519040
Entropy (8bit):	3.9419943640965944
Encrypted:	false
SSDEEP:	12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1nlplj:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnbzl
MD5:	298E377EADD0706C1D73ADDEB77B8178
SHA1:	525213210DE858C13235C917106BB95C540F79F0
SHA-256:	70104ECBFB1142438426E2A5A0A4D7F3A50F65205F546CCF887A148065DB3CD4
SHA-512:	94D8B5C907339C786BF6CB9E49EC64783EA9E4F69988DA2729AE9728DD756C80850FFC4D9B5DAC2F44890BCB486B2442524E0B7AFFC215BE44C5B3E061C6E0E5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.;..DN^.........." .........P".....p..........@.............................p&.....@lx}..b...........................................".dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	42392
Entropy (8bit):	5.943178981884173
Encrypted:	false
SSDEEP:	768:zYVfzVTBuXwMHhrdXbsxoXF8Q0no8pV1Pxo:CfuXXrdrXXD0no8xPxo
MD5:	6A3F2F3C36FE45A87E3BFA80B6D92E07
SHA1:	8C211767AD8393F9F184FC926FE3B8913F414289
SHA-256:	069608FF0FF5918681A80CF7603275DC6CD7D416A73D033D19962B0F0F1E1EAC
SHA-512:	A75669E0481901FC7CFCA55FBC7BD7FC0E8636767537017A41B1C720F34B5AD45AC75555D0AD246AC0DF670FDC31CBA1BEFD21D63E112AD427472DE3EA59CAA6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%7..aV..aV..aV..h.S.cV...2..cV...2..vV...2..kV...2..tV..aV...V...2..oV...2?.`V...2..`V..RichaV..................PE..d...v.+J.........."......6...X.......9.........@.....................................l............... ...................................................................!......,...0t..T...................`d..(...`c...............d..`............................text...{4.......6.................. ..`.imrsiv......P...........................rdata.......`...0...:..............@..@.data...h............j..............@....pdata...............n..............@..@.rsrc................t..............@..@.reloc..,...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	319488
Entropy (8bit):	6.069929843481676
Encrypted:	false
SSDEEP:	6144:NRq8Ez5tCqd6Nr6/TWeRhUz/vMNuEob69hbF1m0lpVGMD8i3ZdTgDt0kcRkdXgl6:NRquQ/TWeRhUz/vMNuEob69hBblHGu3t
MD5:	114A55D75AC7447F012B6D8EC8B1F7FC
SHA1:	37D5636D940D0A948000B94C84AD6C41162E593F
SHA-256:	E188143729B044955881302631BE577381B05B67E9899E09DB3573156719C70E
SHA-512:	446FD3024710E6994A0085CF3ADC0E395BE131898D7D932B383A19981C41637D27D9DABFB2177DBB62375CF4CCFC13722F5B828FF0FA9BB691F220A73D035586
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.m.Q.>.Q.>.Q.>.)E>.Q.>.5.?.Q.>.5.?.Q.>.Q.>+Q.>.5.?.Q.>.5.?.Q.>.5.?.Q.>.5)>.Q.>.5.?.Q.>Rich.Q.>........PE..d...O.Uf.........."..........(.......E.........@.............................@......e}............... ......................................8...\.... ..........x............0..........T............................................................................text...L........................... ..`.imrsiv..................................rdata..L...........................@..@.data...............................@....pdata..x...........................@..@.didat..x...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2236416
Entropy (8bit):	3.406611949592817
Encrypted:	false
SSDEEP:	12288:WVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:LfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	CB757D9BD0E289A106808C0230A026A6
SHA1:	1F11AE588A68B3A2A29668CBD5A0A8A445E4938F
SHA-256:	450A946EC012C1311B599992FD920623C478F9B69FE246296AD6F8E9B57D0581
SHA-512:	DBD27A1ACA3AF8A626D4A4C80B46D394C936B1BCBF500255CAB63E42B8E2194FC82B694DC0A230236271F41A3B89AD2E8C2B57277A9E83F6B96F388E9A27237B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	809472
Entropy (8bit):	6.649005640850081
Encrypted:	false
SSDEEP:	6144:g4yELxB+4i7juGW9ku9gi9m5SBo3BZHgnlWXL1ogREJwkz5gzNOx8XA08bAhMWUy:1tLvDNhg0Pnomt8XOykpyk
MD5:	F97BE20B374457236666607EE4BA7F7F
SHA1:	378D5ADAB450032CBD086A419C07DF8278FF4F32
SHA-256:	72A31AEB7655343C7112085DFD49A2D5F1A6F1191D8F91A96BC446DE932724EA
SHA-512:	62C8875A9ECB710CCE5CACBEFF3615A9771913F0C7A7CD42FFFE1D00F9B9E26D01139501635F1578F1B63E03682B52312E776A7191F291B86960B1D7464AB216
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_T..>:D.>:D.>:D.F.D.>:D.Z>E.>:D.Z9E.>:D.Z?E.>:D.Z;E.>:D.>;D.8:D.Z3E.>:D.Z.D.>:D.Z.D.>:D.Z8E.>:DRich.>:D........................PE..d...U..........."................. ..........@..........................................`.......... ......................................8........0..@G.......-..............8...P"..T................... ...(... ...............H...(............................text.............................. ..`.rdata..t(.........................@..@.data...............................@....pdata...-..........................@..@.rsrc...@G...0...H..................@..@.reloc..8............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2236416
Entropy (8bit):	3.408793605428252
Encrypted:	false
SSDEEP:	12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	0CA5F4D66EBB41C5D3F7E5A6D341F77F
SHA1:	3894DC22432580634AD98F990355CF0C15F10DD8
SHA-256:	31FA6F8CCF9DD4024AF161774599C6196118660437B4149DCDE28026B7A2478E
SHA-512:	A59C7EE98E855637B31C030D66611402D1D5106593FC633C7FB0793AA9B9C74296CA41960F9EA4FCF23568D1682CE1A9602D40496610B84D882466FE861F1E9B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\QiP6c\SndVol.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	259904
Entropy (8bit):	5.955701055747905
Encrypted:	false
SSDEEP:	3072:UfYIZJbRydnidilSnGvLqeD358rwW39nuyHjVozZcxSHfcBL1ljbEyB7HbIa+:Uf9JonidFnqLV358rNnJqcRcy10/
MD5:	CDD7C7DF2D0859AC3F4088423D11BD08
SHA1:	128789A2EA904F684B5DF2384BA6EEF4EB60FB8E
SHA-256:	D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
SHA-512:	A093BF3C40C880A80164F2CAA87DF76DCD854375C5216D761E60F3770DFA04F4B02EC0CA6313C32413AC99A3EBDC081CF915A7B468EE3CED80F9B1ECF4B49804
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BL]..L]..L]..E%...]..#9..O]..#9..U]..#9..F]..#9..W]..L]...\..#9..o]..#9k.M]..#9..M]..RichL]..........................PE..d...wJSn.........."............................@.............................@....................... .........................................p.... ..@...............@+...0.......U..T...................p&..(...p%...............&......P........................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\QiP6c\UxTheme.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2236416
Entropy (8bit):	3.4158562242471984
Encrypted:	false
SSDEEP:	12288:HVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ufP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	7F591E3E13727BC65D9343A0424DC251
SHA1:	FB577F41F44AC64FFCAA911A382786B19BAC6DD5
SHA-256:	9C68174FA05C42FD588281AD3ED149DF3673A2932849410AC2E902772752871F
SHA-512:	6AA7DAA2DE4612E820E87182CDF95E8FFFFB7ADA175478F3F66F70C3B4E7BBA7FF3ECC29F31CD5C42C4BB85ACF5DE68CDAF55D8B54EF143B0FCB801B38434B49
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\VgY\Secur32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2236416
Entropy (8bit):	3.417374163758923
Encrypted:	false
SSDEEP:	12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	DB5938B2BCF055E28A918103006CBCAA
SHA1:	87EFF0B3AE617315DDE7EBA2261EA88B7AF02061
SHA-256:	45561012881BCEB066C2F5A47ACA5F80D6463D025DE36DC19F54DB2A6D0DC216
SHA-512:	C6D17E4D7EBC15C78981A22DAABC9190C35F69239BD3AB714ADBFE3D39961D82059562CFA68EBBE6F1C1A8432472C76BBA4486C20D384302194E96C16470FECC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b...........................................".#....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\VgY\mstsc.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3640832
Entropy (8bit):	5.884402821447862
Encrypted:	false
SSDEEP:	98304:q8yNOTNEpZxGb+ZPgN6tYDNBMe+8noqvEYw0n2WFfZT+xgsLOsMg:q8yNOTNEpZxk+ZIN6tYDNBMe+8noqvEB
MD5:	3FBB5CD8829E9533D0FF5819DB0444C0
SHA1:	A4A6E4E50421E57EA4745BA44568B107A9369447
SHA-256:	043870DBAB955C1851E1710D941495357383A08F3F30DD3E3A1945583A85E0CA
SHA-512:	349459CCF4DDFB0B05B066869C99088BA3012930D5BBC3ED1C9E4CF6400687B1EFE698C5B1734BF6FF299F6C65DD7A71A2709D3773E9E96F6FDE659F5D883F48
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... w.dN$.dN$.dN$..M%.dN$..J%.dN$..K%.dN$..O%.dN$.dO$TfN$..G%.eN$...$.dN$..L%.dN$Rich.dN$........PE..d.....Y..........."......$....%.....p..........@..............................7......K8...`..................................................].......p..H>!.....`.............7. ..P...T...........................`...............`........\..`....................text....".......$.................. ..`.rdata...\...@...^...(..............@..@.data...P(..........................@....pdata..`...........................@..@.didat..(....`....... ..............@....rsrc...H>!..p...@!.."..............@..@.reloc.. ....7..,...b7.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128512
Entropy (8bit):	6.2177431661699805
Encrypted:	false
SSDEEP:	1536:JkvDU6Ogd6+nGNj73upR/yc4jKxyB6zd23W9aMEbq6GIwc0eomgPHA5kG9mQ7N6A:bgd6+E3ueD+bc0xPxQZDFcZIZ
MD5:	5B9BB7B6DD9A81D42F057BA252DC3B63
SHA1:	EC0699019DF4B9BC7D12C4B3CAFC4963210B5C7A
SHA-256:	4348A9C263028C665AA486B08DDD22BC7F3879B0A89765DA5A0F4AECD0A1224C
SHA-512:	9F77B1720CB1F3218556E396B264A15765FF8925FFFBEF1121245BB7F15174EBC7A2C341AD787410F326EE2E18EC097DE191F21B8B4335C1129EB41289E68E19
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)S..H=@.H=@.H=@.,>A.H=@.,9A.H=@.,8A.H=@.,<A.H=@.H<@"H=@.,4A.H=@.,=A.H=@.,.@.H=@.,?A.H=@Rich.H=@........PE..d....G............"..........^......`..........@.............................0............`.......... ..................................`...`...................\............ ..,... ...T...............................................8............................text............................... ..`.rdata..f........0..................@..@.data...............................@....pdata..\...........................@..@.rsrc...............................@..@.reloc..,.... ......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\r1aQ\UxTheme.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2236416
Entropy (8bit):	3.4158800780354133
Encrypted:	false
SSDEEP:	12288:VVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:MfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	4D29023178FD2D10CB3ACE4885820458
SHA1:	140E9C96A2D4A8BAC949B02FB928E0FF76754B6E
SHA-256:	FEA11ED22EBAA8A456516620C8B73281104BE7E328AD6FE82C9E013216E3EF7A
SHA-512:	0F935996AFF73EA5FBB0CE613229D31D4D0F2FD37C7207B4987D464E12A1FD2F14E45E5DEE001069144C45F35B9D0825CCF72AC46E8487A7FCA22879C3D555E1
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1930224
Entropy (8bit):	1.9511202288226894
Encrypted:	false
SSDEEP:	3072:LvyYYIF4cmwcTigBmZWRHLxgMNnVYvkkVp66oB4E7p6:LvyYBF4R/igoZWRryMNnqz3
MD5:	97411B8A84E5980E509E500C3209E5C0
SHA1:	23398F8DA469DEAF10C32773062A6A62B7B004B4
SHA-256:	2C968556FCAD7EBB9A866B21A9F3F3DFCD0CA490CAF8F6B2ECDB423B9D24D3EF
SHA-512:	1D5E598B51B37E8A92FA188A8D59C67B7522480B46AFB5D2033D4380A3C5A120D0DB2BE6FE62B636A23AD83F757B7A1803B77A0EA19DF3C51B9BD36B0F06CB6A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ..zd..)d..)d..)m.T)R..)...(g..)...(q..)...(c..)...(E..)d..)...)...({..)..8)e..)...(e..)Richd..)........PE..d....[~..........."...... ........... .........@.............................`....................... .........................................\.......(3......d........c...P..X.......T....................K..(....J...............K..x............................text............ .................. ..`.imrsiv......0...........................rdata..6....@.......$..............@..@.data...(...........................@....pdata..d...........................@..@.rsrc...(3.......4..................@..@.reloc..X....P......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2240512
Entropy (8bit):	3.4238232767891454
Encrypted:	false
SSDEEP:	12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	447058F8460FC604A0852CCD62462C97
SHA1:	E2B5CE7A28224F839FA0B4A153F6B01A8C70586E
SHA-256:	B0BBEEB74A6BAE9B3AAB49327F807FEE63018C92342E4CBFA3B2666F2AFAB0F0
SHA-512:	BD751199866B6C07BAED02AA233E9A012845BAAA91659853C0F8A6E24749F37796A32E75AAF042498865E818BD9B6B25694D9A60D89ADEAE1ADE623A6FE6CCC3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.;..DN^.........." ................p..........@.............................0".....@lx}..b...........................................".m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	4447
Entropy (8bit):	5.479118735651339
Encrypted:	false
SSDEEP:	48:JpnURyDsHPcrkR/J6AhUzHrpnUnLpM/Fuc2/7h6OSJXJY8LU+QYwBMuMuEu:JJGymPcmJfhU3JadubugTXs+QYwKLu
MD5:	F4F1FA09A467998A8BCD1E6EA05488A7
SHA1:	CB33AC91E6108330488B353C5BBE786087F35AD3
SHA-256:	D639226D41D26952376E2C91BFD87D04BF284E895A4D9446FEE48F53F37519C9
SHA-512:	6FBDA3141C980C94E85C54DBBFB084204183F133D04DCE98525E80FF62E2A33E1C2D7D2133232871E8D7DB5CD51C8AE9A73EE469E18E741672DDA6C157EDBF99
Malicious:	false
Reputation:	unknown
Preview:	........................................user.........................................user.....................RSA1.................vf..G..~^D..........O@......w..5..-.L....W.}.P.............K.....Hkk\.#Y...y... ..-_..C..j..3..i&..t.#..5...d.........................z..O........6r...G..V..q.J....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....W...RX..}.<%...K.V.\.._.y..F.............. ...oB.....:..C@......xM.6H.M.#......:..Kk.-K.y.vK.....s.O.k..%2.........(gv.sNcW..c......t.nc.."S...L)....2.k.\|3........].p..y-(..h.C.a)Y....E.@p..g.?.-.zI.y.......ku..!1...o.kZ.bzZ.y.....K/.K.Yn.O.... ..Z......i.8.>.......^.5K...]#...6\|.....3.NW..7.R@(/e.u;.N...~[..i..K.H....}...V!`....A.).7................-.......4E<.f.8.^.ZQU..xj...\..w...3k_..TmE8$.....m......3I.U..%..1.].H.@.YM.....'.....(.?..{....X..&.....hzk`............/p+.....;...b....w'P..5Om>.._...f.{...l...T.....5a@T.1.iW{.N.hlV5.... :O.T_$.l..&\..Mz.z..{.f...F7..N..F.c....h.O

Static File Info

General
File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	3.4112191453962337
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	A2qAaSVuU2.dll
File size:	2232320
MD5:	f8295446e335b679641637334c99242d
SHA1:	18b9a40791f1a52c70507b29d0b631510f2e33c6
SHA256:	96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9
SHA512:	82b140666adcf81d786ef650a4eeae44a133c23593e2ccb14a1bd0b262084dd937d2fe6546fd691ba859b376becbfc4f18e57459d8e9e6b2e20654cc227fd1b7
SSDEEP:	12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|.

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x140041070
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6668be91e2c948b183827f040944057f

Entrypoint Preview

Instruction
dec eax
xor eax, eax
dec eax
add eax, 5Ah
dec eax
mov dword ptr [00073D82h], ecx
dec eax
lea ecx, dword ptr [FFFFECABh]
dec eax
mov dword ptr [00073D7Ch], edx
dec eax
add eax, ecx
dec esp
mov dword ptr [00073D92h], ecx
dec esp
mov dword ptr [00073DA3h], ebp
dec esp
mov dword ptr [00073D7Ch], eax
dec esp
mov dword ptr [00073D85h], edi
dec esp
mov dword ptr [00073D86h], esi
dec esp
mov dword ptr [00073D8Fh], esp
dec eax
mov ecx, eax
dec eax
sub ecx, 5Ah
dec eax
mov dword ptr [00073D89h], esi
dec eax
test eax, eax
je 00007F26EC8D932Fh
dec eax
mov dword ptr [00073D45h], esp
dec eax
mov dword ptr [00073D36h], ebp
dec eax
mov dword ptr [00073D7Fh], ebx
dec eax
mov dword ptr [00073D70h], edi
dec eax
test eax, eax
je 00007F26EC8D930Eh
jmp ecx
dec eax
add edi, ecx
dec eax
mov dword ptr [FFFFEC37h], ecx
dec eax
xor ecx, eax
jmp ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
dec eax
sub esp, 00000080h
mov eax, F957B016h
mov byte ptr [esp+7Fh], 00000037h
mov edx, dword ptr [esp+78h]
inc ecx
mov eax, edx
inc ecx
or eax, 5D262B0Ch
inc esp
mov dword ptr [esp+78h], eax
dec eax
mov dword ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[LNK] VS2012 UPD4 build 61030
[ASM] VS2013 UPD2 build 30501
[ C ] VS2012 UPD2 build 60315
[C++] VS2013 UPD4 build 31101
[RES] VS2012 UPD3 build 60610
[LNK] VS2017 v15.5.4 build 25834
[ C ] VS2017 v15.5.4 build 25834
[ASM] VS2010 build 30319
[EXP] VS2015 UPD1 build 23506
[IMP] VS2008 SP1 build 30729
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD2 build 60315
[C++] VS2015 UPD1 build 23506
[ C ] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xa6f2c	0xa4	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6390	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc1000	0x2324	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40796	0x41000	False	0.776085486779	data	7.73364605679	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0x64fd0	0x65000	False	0.702641553218	data	7.86628806834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa7000	0x178b8	0x18000	False	0.0694580078125	data	3.31515306295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbf000	0x12c	0x1000	False	0.06005859375	PEX Binary Archive	0.581723022719	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x880	0x1000	False	0.139892578125	data	1.23838501563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc1000	0x2324	0x3000	False	0.0498046875	data	4.65321444248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.qkm	0xc4000	0x74a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cvjb	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tlmkv	0xc7000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wucsxe	0xc8000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fltwtj	0x10e000	0x1267	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sfplio	0x110000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rpg	0x111000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bewzc	0x157000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vksvaw	0x159000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wmhg	0x15a000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kswemc	0x15c000	0x36d	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kaxfk	0x15d000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wualk	0x15f000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qdxz	0x160000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rkyg	0x161000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.psul	0x162000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pyjm	0x163000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eoadme	0x164000	0x7fd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fnz	0x165000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gwheg	0x166000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fcd	0x1ac000	0x322	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.dwk	0x1ad000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hgy	0x1ae000	0xae7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nfm	0x1af000	0x46e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qmfqd	0x1b0000	0xd57	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.buzyfh	0x1b1000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.towo	0x1b2000	0x2da	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.omwdbg	0x1b3000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.virw	0x1b4000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bck	0x1bb000	0x543	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mbhfb	0x1bc000	0x573	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kix	0x1bd000	0x896	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gurzs	0x1be000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.dzdoj	0x1bf000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.egret	0x1c0000	0x1455	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ftpyc	0x1c2000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qrc	0x1c3000	0x3fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tnnx	0x1c4000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vsjhk	0x1c5000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fmswwe	0x1c6000	0xd33	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zfhn	0x1c7000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ejdgrp	0x1ce000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.soyat	0x1cf000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jlil	0x1d0000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bojgf	0x1d1000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gvsnik	0x1d2000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lsc	0x1d3000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.uepvem	0x219000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.don	0x21a000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.dqju	0x21c000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qmgrql	0x21e000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cjrd	0x21f000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc00a0	0x370	data	English	United States
RT_MANIFEST	0xc0410	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	LookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
SETUPAPI.dll	CM_Get_Resource_Conflict_DetailsW
KERNEL32.dll	DeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
GDI32.dll	CreateBitmapIndirect, GetPolyFillMode
CRYPT32.dll	CertGetCTLContextProperty
ADVAPI32.dll	AddAccessDeniedObjectAce
SHLWAPI.dll	ChrCmpIW

Exports

Name	Ordinal	Address
DpxFreeMemory	1	0x140014ad4
DpxNewJob	2	0x14000c684
DpxNewJobEx	3	0x140024248
DpxRestoreJob	4	0x1400085e8
DpxRestoreJobEx	5	0x14001b4d8

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserv
InternalName	bitsp
FileVersion	7.5.7600.16385 (win7_rtm.090713-
CompanyName	Microsoft Corporati
ProductName	Microsoft Windows Operating S
ProductVersion	6.1.7600
FileDescription	Background Intellig
OriginalFilename	kbdy
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 03:37:46.985901117 CEST	53183	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:37:47.999109983 CEST	53183	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:37:48.059173107 CEST	53	53183	8.8.8.8	192.168.2.5
Sep 29, 2021 03:38:20.888489962 CEST	57587	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:21.877808094 CEST	57587	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:21.896532059 CEST	53	57587	8.8.8.8	192.168.2.5
Sep 29, 2021 03:38:23.611285925 CEST	55432	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:23.666307926 CEST	53	55432	8.8.8.8	192.168.2.5
Sep 29, 2021 03:38:32.279305935 CEST	64936	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:32.352840900 CEST	53	64936	8.8.8.8	192.168.2.5
Sep 29, 2021 03:38:34.614573002 CEST	52704	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:34.678839922 CEST	53	52704	8.8.8.8	192.168.2.5
Sep 29, 2021 03:38:43.007261992 CEST	52212	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:44.032881975 CEST	52212	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:44.087611914 CEST	53	52212	8.8.8.8	192.168.2.5
Sep 29, 2021 03:38:46.405586958 CEST	54302	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:48.000888109 CEST	54302	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:48.043163061 CEST	53	54302	8.8.8.8	192.168.2.5
Sep 29, 2021 03:38:57.699244976 CEST	53784	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:57.717226982 CEST	53	53784	8.8.8.8	192.168.2.5
Sep 29, 2021 03:38:58.077536106 CEST	65307	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:38:58.108865976 CEST	53	65307	8.8.8.8	192.168.2.5
Sep 29, 2021 03:39:05.169296980 CEST	64344	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:39:05.203315020 CEST	53	64344	8.8.8.8	192.168.2.5
Sep 29, 2021 03:39:10.919622898 CEST	62060	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:39:10.944142103 CEST	53	62060	8.8.8.8	192.168.2.5
Sep 29, 2021 03:39:47.347239017 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:39:47.373959064 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 29, 2021 03:39:53.680443048 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:39:53.699193001 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 29, 2021 03:40:04.949834108 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:04.983392954 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 29, 2021 03:40:35.671704054 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:36.681646109 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:37.681225061 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:39.697453022 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:43.697468996 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:51.634490013 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:52.667848110 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:53.667366982 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:55.714175940 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 29, 2021 03:40:55.756486893 CEST	53	65447	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 29, 2021 03:38:58.077536106 CEST	192.168.2.5	8.8.8.8	0x6cdd	Standard query (0)	clientconfig.passport.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Sep 29, 2021 03:38:32.352840900 CEST	8.8.8.8	192.168.2.5	0x2b7e	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net	CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 03:38:48.043163061 CEST	8.8.8.8	192.168.2.5	0x9b72	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net	CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 03:38:58.108865976 CEST	8.8.8.8	192.168.2.5	0x6cdd	No error (0)	clientconfig.passport.net	authgfx.msa.akadns6.net	CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 3104 Parent PID: 2456

General

Start time:	03:37:40
Start date:	29/09/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll'
Imagebase:	0x7ff6977c0000
File size:	1136128 bytes
MD5 hash:	E0CC9D126C39A9D2FA1CAD5027EBBD18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5772 Parent PID: 3104

General

Start time:	03:37:40
Start date:	29/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
Imagebase:	0x7ff7eef80000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2588 Parent PID: 3104

General

Start time:	03:37:41
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory
Imagebase:	0x7ff70a260000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.339300443.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3332 Parent PID: 5772

General

Start time:	03:37:41
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
Imagebase:	0x7ff70a260000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.257940331.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 2588

General

Start time:	03:37:43
Start date:	29/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2436 Parent PID: 3104

General

Start time:	03:37:44
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob
Imagebase:	0x7ff70a260000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.263722595.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 800 Parent PID: 3104

General

Start time:	03:37:48
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx
Imagebase:	0x7ff70a260000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.274418377.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: SysResetErr.exe PID: 2876 Parent PID: 3472

General

Start time:	03:38:23
Start date:	29/09/2021
Path:	C:\Windows\System32\SysResetErr.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SysResetErr.exe
Imagebase:	0x7ff650120000
File size:	42392 bytes
MD5 hash:	6A3F2F3C36FE45A87E3BFA80B6D92E07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: SysResetErr.exe PID: 484 Parent PID: 3472

General

Start time:	03:38:32
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
Imagebase:	0x7ff727f80000
File size:	42392 bytes
MD5 hash:	6A3F2F3C36FE45A87E3BFA80B6D92E07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.387213363.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: RecoveryDrive.exe PID: 5932 Parent PID: 3472

General

Start time:	03:38:44
Start date:	29/09/2021
Path:	C:\Windows\System32\RecoveryDrive.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RecoveryDrive.exe
Imagebase:	0x7ff6a8220000
File size:	877568 bytes
MD5 hash:	2228E677678848E2FC693199947715E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RecoveryDrive.exe PID: 6092 Parent PID: 3472

General

Start time:	03:38:45
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
Imagebase:	0x7ff7bc7d0000
File size:	877568 bytes
MD5 hash:	2228E677678848E2FC693199947715E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.415547508.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: MusNotificationUx.exe PID: 4756 Parent PID: 3472

General

Start time:	03:38:58
Start date:	29/09/2021
Path:	C:\Windows\System32\MusNotificationUx.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\MusNotificationUx.exe
Imagebase:	0x7ff6f7fe0000
File size:	319488 bytes
MD5 hash:	114A55D75AC7447F012B6D8EC8B1F7FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MusNotificationUx.exe PID: 3940 Parent PID: 3472

General

Start time:	03:38:58
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
Imagebase:	0x7ff618af0000
File size:	319488 bytes
MD5 hash:	114A55D75AC7447F012B6D8EC8B1F7FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001D.00000002.442655730.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: SndVol.exe PID: 3532 Parent PID: 3472

General

Start time:	03:39:10
Start date:	29/09/2021
Path:	C:\Windows\System32\SndVol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SndVol.exe
Imagebase:	0x7ff759370000
File size:	259904 bytes
MD5 hash:	CDD7C7DF2D0859AC3F4088423D11BD08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SndVol.exe PID: 1208 Parent PID: 3472

General

Start time:	03:39:12
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\QiP6c\SndVol.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\QiP6c\SndVol.exe
Imagebase:	0x7ff74a7a0000
File size:	259904 bytes
MD5 hash:	CDD7C7DF2D0859AC3F4088423D11BD08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.470825407.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: EhStorAuthn.exe PID: 3016 Parent PID: 3472

General

Start time:	03:39:24
Start date:	29/09/2021
Path:	C:\Windows\System32\EhStorAuthn.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\EhStorAuthn.exe
Imagebase:	0x7ff786bf0000
File size:	128512 bytes
MD5 hash:	5B9BB7B6DD9A81D42F057BA252DC3B63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: EhStorAuthn.exe PID: 2424 Parent PID: 3472

General

Start time:	03:39:26
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
Imagebase:	0x7ff6f2320000
File size:	128512 bytes
MD5 hash:	5B9BB7B6DD9A81D42F057BA252DC3B63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.501617051.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: mstsc.exe PID: 5972 Parent PID: 3472

General

Start time:	03:39:38
Start date:	29/09/2021
Path:	C:\Windows\System32\mstsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mstsc.exe
Imagebase:	0x7ff7ab200000
File size:	3640832 bytes
MD5 hash:	3FBB5CD8829E9533D0FF5819DB0444C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mstsc.exe PID: 5668 Parent PID: 3472

General

Start time:	03:39:39
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\VgY\mstsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\VgY\mstsc.exe
Imagebase:	0x7ff657d30000
File size:	3640832 bytes
MD5 hash:	3FBB5CD8829E9533D0FF5819DB0444C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.529730818.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll64.exe PID: 3104 Parent PID: 2456 loaddll64.exeCOMMON

Executed Functions

Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON

Download Yara Rule

Strings

}*, xrefs: 0000000140049BDD
}*, xrefs: 0000000140049620

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: f218d88ecbe768a3c2e15b48e098ea3b44daa8c6dba81671f269a0c6fd7b68aa
Instruction ID: dfe71950bb4b00d773a2c1e4d7d9ca62016f185058a51a46645e99606ce0912a
Opcode Fuzzy Hash: f218d88ecbe768a3c2e15b48e098ea3b44daa8c6dba81671f269a0c6fd7b68aa
Instruction Fuzzy Hash: CDF2E476601B8481EB269F17D5503EE77A1F78EBC8F9A4025EB0A077B5DB38C945C348

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

FreeConsole.KERNELBASE ref: 000000014003704B
EntryPoint.A2QAASVUU2 ref: 00000001400370EE

Strings

d, xrefs: 0000000140037032
)8GV, xrefs: 0000000140037008

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleEntryFreePoint
String ID: )8GV$d
API String ID: 3550414006-3589632123
Opcode ID: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction ID: d510f836e5bc92855b025e221ee4853bd72dbb3d22a76ed0b2795177c136f2ac
Opcode Fuzzy Hash: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction Fuzzy Hash: 2C91983230064096EB26EB66D0513EE23A5AB9C7D4F914526BB1E47BFBEE34CA05C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 000000014005D101

Strings

sy;, xrefs: 000000014005C9ED
sy;, xrefs: 000000014005C420

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoSystem
String ID: sy;$sy;
API String ID: 31276548-3660992706
Opcode ID: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction ID: 6e6b9d6b41ba510f9365bd6ae70f9dc3139515c8db1fe8c3f4a6c85962f57752
Opcode Fuzzy Hash: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction Fuzzy Hash: 2A82DB72215B848AEB26CF27D4507E977E1F789BC4F498426EB4A077B6DB39C941C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON

Download Yara Rule

Strings

}*, xrefs: 000000014004C37C
}*, xrefs: 000000014004BDB0

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction ID: 589d9863290c94d963c78ae1aba4b537ce1e649f887b860e334c2c2edf70769e
Opcode Fuzzy Hash: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction Fuzzy Hash: B872E172211B8081EBA68F23D4547ED77A1F78DBC4F8A5125EB4A477B6EB38C944C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 000000014005D2ED

Strings

., xrefs: 000000014005D36A

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindFirst
String ID: .
API String ID: 1974802433-248832578
Opcode ID: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction ID: 4bac0f1caae8588fed560e2f4dd75fe3b4005a9d196e6938d52e54566134f4c2
Opcode Fuzzy Hash: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction Fuzzy Hash: C841A43260564085FB76DB26E1003AD73A1A748BF8F184713EF69177E9DB7AC982C742

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140026CC0, Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

)8GV, xrefs: 000000014002703B
)8GV, xrefs: 0000000140027120

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV
API String ID: 0-993736920
Opcode ID: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
Instruction ID: e7db99c2ed76c24e9271fdfca30502f9120cd4f12b6678b2f47d4e41cadbe873
Opcode Fuzzy Hash: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
Instruction Fuzzy Hash: 3BF18F7272064095EB52EB72D8913EE6365FB993C8F900426BB0E47AFADF34CA45C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006A4B0, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000000014006A550

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: c571d8b9788f13bc1a6c9d6d9ec75b3e860dc3d379630f9026fe8c942d3d5bbc
Instruction ID: ba306794fc56961ae9be9e8108b60f4a03202e28571258f9feaa1cffdeadac3d
Opcode Fuzzy Hash: c571d8b9788f13bc1a6c9d6d9ec75b3e860dc3d379630f9026fe8c942d3d5bbc
Instruction Fuzzy Hash: 25B16E36601B409AE712EF26D9403EE33A6F7497C8F645825EB4E47BA6DF38D524CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 0000000140048CDE

Part of subcall function 000000014005D1F0: FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindLoadNext
String ID:
API String ID: 50669962-0
Opcode ID: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction ID: 5bbbb247b64301f03cc62f5655f26b2922a91791dd430743fbd3ba68f8766a4f
Opcode Fuzzy Hash: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction Fuzzy Hash: 07819D3261568092FB22EB26E4513EE6365FBD83D4F814521FB4A57AEBEF38C605C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035270, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

ExitProcess.KERNEL32 ref: 00000001400354E1

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseExitProcess
String ID:
API String ID: 3487036407-0
Opcode ID: 6e17fe50e6f561acc205664f4a43b7bf662508175e8116978b7861a4b69f8d5b
Instruction ID: 3d479053040576d7404e3dfab4813d6254088c9544e20b556efee73ce8d776a8
Opcode Fuzzy Hash: 6e17fe50e6f561acc205664f4a43b7bf662508175e8116978b7861a4b69f8d5b
Instruction Fuzzy Hash: 5771BF32710A5096FB16EB72D4513EE2365AB883D9F844522BF5E53AFADF35C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046C90, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction ID: acc9ee73913d888b71121e4cedfe861758cf19cabea33dd7822bbf7d3cf7603a
Opcode Fuzzy Hash: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction Fuzzy Hash: 42E08CA1741A0041EF265276D0803A812809B4D7B4E194B209A7D0B3E0EA3888898716

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction ID: bccbce3911ab829ef3288d496869760cb1404da12fac801df191153d1e38d36e
Opcode Fuzzy Hash: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction Fuzzy Hash: 9172CD72601B9485FB26CF17D4503E967A1FB8EFC4F998426EB0A077A5EB39C945C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction ID: 84a8ec628d281786b49b5e6f6f6dec0d0376b1c45e732984354cafa0c8984479
Opcode Fuzzy Hash: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction Fuzzy Hash: D761947121164102FE76B72399047EE5292AFAD3E4F650B21BF6E47BF9EE38C9018740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140034870, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff70e36bafc14066583f36dccf9ed98aecf1f3ce13f55bc2722bc0c9a53d6bef
Instruction ID: 713527809b35fed6260ebd230ad48717dd4fa7a304d79e310e96a8de0daf9cee
Opcode Fuzzy Hash: ff70e36bafc14066583f36dccf9ed98aecf1f3ce13f55bc2722bc0c9a53d6bef
Instruction Fuzzy Hash: 5A717D32B04B4095FB12EBB2E4913DF67A5FBC8388F954025BB4957AAADF38D445CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061459
RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00000001400614B4
RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061539
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 0000000140061664

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction ID: 4377045c35190c944746a6ea10b9b47c13ce871b5e3b3a15cce40fdff127085f
Opcode Fuzzy Hash: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction Fuzzy Hash: 5BC1A43120568082FE629B16E8503EEA791E7C97E0F6C4A21FB6E47BE5DE78C941C740

Uniqueness

Uniqueness Score: -1.00%

Function 000001CD7AE52252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001CD7AE523B0
VirtualProtect.KERNELBASE ref: 000001CD7AE52471
RtlAvlRemoveNode.NTDLL ref: 000001CD7AE525B4
VirtualProtect.KERNELBASE ref: 000001CD7AE52677

Memory Dump Source

Source File: 00000000.00000002.280175060.000001CD7AE50000.00000040.00000001.sdmp, Offset: 000001CD7AE50000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: ae53a1b6f91cb68ae635657d0c0ad1c34011f884514b110e12ecf9caa7715dad
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: DFB14276618BC586E7308B5AF441BDEB7A1F789B84F108026EE8D97B58DB79C8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000000014005FA4B

Strings

4aX, xrefs: 000000014005FA09

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertString
String ID: 4aX
API String ID: 3907675253-4042356595
Opcode ID: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction ID: 5c7b4eddd96f597e19123db416744eb931adcf52cf9da5c093af566d74744993
Opcode Fuzzy Hash: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction Fuzzy Hash: EC216D72214B4582EA12EF66E1403DEB3A0FB8C7C4F844525EB8D07B6AEF39D625C745

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DAE0, Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction ID: c5574eec75406f68cf122a08b4571db932f63f1e1c7d3e43579234279b4bb767
Opcode Fuzzy Hash: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction Fuzzy Hash: A151D03130464182FA72EA63A4507EA77A2BB8CBD4F154527BF5A077E2EF7AC801C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DD30, Relevance: 3.1, APIs: 2, Instructions: 122fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 000000014005DDD8
ReadFile.KERNELBASE ref: 000000014005DE49

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction ID: 869152f87e2051f324d9e8f0f01270def7d2743b76a8e6c9a5e95a296a3a7e26
Opcode Fuzzy Hash: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction Fuzzy Hash: A541583161464087EA62DB3AA4447AAB3A1FBD87E0F144712BB6D4B7F5DF39C802DB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction ID: 944ab0cbe82d54181631abf043b2a82f72de4fdca767e43f24bb2c72b9c0c91f
Opcode Fuzzy Hash: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction Fuzzy Hash: 8D21B431214A4581EA72DB66A0407EA3795F78CBE4F184617EFAE077E5DF7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction ID: bee1728ae0ee1a0caa625709e376bb4aadd3217f15d1bcce0d190476addee932
Opcode Fuzzy Hash: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction Fuzzy Hash: BE21D332311A4581EA72DA66A0407EA3795B78CBE4F184527AF9D077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction ID: a00dbcca095f64b26cda9c271166364bdf2e86a9b80154192fb139b54d898421
Opcode Fuzzy Hash: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction Fuzzy Hash: 5521E532315A4581EA72DB62A0407EE3791F78CBE4F184517AFAD077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060D85
RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060DE8

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction ID: 09cc4365fb23fa9fe14c599ab373ea3e5ec1bde103bfdbf39ccb6e9a9538c2db
Opcode Fuzzy Hash: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction Fuzzy Hash: F521A37671569046EF52CB56E8003AFA391EB897F4F184621BF9C07BE8EA38D582C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction ID: 68fcab11a3bde380270331896f94efb0ab36e54eb9d04e7f46ecdc112822b6b1
Opcode Fuzzy Hash: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction Fuzzy Hash: 6821C132315A4541EA72DB62A0407EA3795F78CBE4F184627EFAD077E5DE7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046F60, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32 ref: 0000000140046FDE

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
Instruction ID: 560481d37deeb2f3cc02cd101c0a384bc9ca8e36dca6fa428839860d024f360c
Opcode Fuzzy Hash: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
Instruction Fuzzy Hash: EDA15D3271064099EB12EFB6C4913EE2365A7987C8F915126BF0D67AFAEF34C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNELBASE ref: 000000014005FEFE

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction ID: 2cd33cf12082532a652157af79f02d7873b375395221c82c38bac87e111ef697
Opcode Fuzzy Hash: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction Fuzzy Hash: 6E51B2326117408AEB66EB22A0013EE6291EB9DBC4F580535FF4E477E6DF39C802D790

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D1F0, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction ID: fe48dd106ee2d63de4642147a978de6f9e341aec22c75ad1205c2678dbe1ece1
Opcode Fuzzy Hash: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction Fuzzy Hash: 80115B7561034082FF76DA6691047E933E1EB697C8F051013EF59472E9EB36C8D2C751

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32 ref: 0000000140060C16

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction ID: 650aff04d41c3b1619de3e88208a4500c6b85af191ab70c767efd2679610bbe3
Opcode Fuzzy Hash: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction Fuzzy Hash: 1C112E72204B8486D7219F12E84039EB7A5F788B90FA89529EB8D43B58DF39D991CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046690, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlCreateHeap.NTDLL ref: 00000001400466DD

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction ID: 54976bf3431427af6da968cf6b263ec8d4a99ac7c2bea2f2fd5649cd882baac1
Opcode Fuzzy Hash: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction Fuzzy Hash: B901D635706A8082EB528712FA4039A73A0F78C3C4F198524EF884B7A5EF38C8518B44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046730, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 000000014004678C

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction ID: 7e2fcedd46cf55f04110c2a11ced308778be976df41b62f125aabd7639a18320
Opcode Fuzzy Hash: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction Fuzzy Hash: 70F0F878A4730141FE6A63B354543A511821FCC7C4F0E8834AF095B7A6EE38CD518699

Uniqueness

Uniqueness Score: -1.00%

Function 000001CD7AE52057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001CD7AE529A8), ref: 000001CD7AE520A7

Memory Dump Source

Source File: 00000000.00000002.280175060.000001CD7AE50000.00000040.00000001.sdmp, Offset: 000001CD7AE50000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 3e9331106b1d099fe37158afde32259deaa12b4f5a0f43ffe21524c0a7659b5e
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: EE312772615B8086D780DB1AF45579A7BA0F389BC4F205026EF8D87B18DB3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000014002B6E0, Relevance: 8.2, Strings: 6, Instructions: 741COMMON

Download Yara Rule

Strings

3050, xrefs: 000000014002BB42
3050, xrefs: 000000014002B992
0020, xrefs: 000000014002BB49
0020, xrefs: 000000014002B98B
4040, xrefs: 000000014002BB6A
GNOP, xrefs: 000000014002B9CB

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0020$0020$3050$3050$4040$GNOP
API String ID: 0-829999343
Opcode ID: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction ID: 282167bc52f218920562f67345f8403ae15435ff558287d674a5e0b6e797f698
Opcode Fuzzy Hash: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction Fuzzy Hash: 4172507261068195EB22EF26D8913EE6365FB983C8F804016FB4E475FAEF34CA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140071DC0, Relevance: 5.7, Strings: 4, Instructions: 682COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000000014007213B
ERCP, xrefs: 0000000140071EED
VUUU, xrefs: 000000014007211B
VUUU, xrefs: 0000000140072194

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU
API String ID: 0-2165971703
Opcode ID: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction ID: a95f611128f1d5d13a9bca75b656ea52fec65ffdb08565925219bb8e60db198b
Opcode Fuzzy Hash: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction Fuzzy Hash: 2252BE727046848AEB6A8F6AD5503ED7BA1F3087D8F144116FF569BAE8D73CC981C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400667D0, Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

SW, xrefs: 0000000140066C49
SW, xrefs: 0000000140066CA6
SW, xrefs: 0000000140066A1A
SW, xrefs: 0000000140066A69

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: SW$SW$SW$SW
API String ID: 0-1120820918
Opcode ID: 517e9c748c7166ea23e42337479b6e8f1bff1248af9cf0015b4bedbae01fd632
Instruction ID: 5271b3b9b35d550c8de01999338ba1aa790ab169e66fccb1d44a6718ff6f2241
Opcode Fuzzy Hash: 517e9c748c7166ea23e42337479b6e8f1bff1248af9cf0015b4bedbae01fd632
Instruction Fuzzy Hash: 4C026D3170160146EB62EB73D8603EE2396AB9C3C8F554925BB4D87BEAEF35DA01C310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031DF0, Relevance: 5.3, Strings: 4, Instructions: 270COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140031FC2
GC,, xrefs: 0000000140032008
GC,, xrefs: 00000001400321D7
GC,, xrefs: 000000014003216C

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,$GC,$GC,
API String ID: 0-2774350030
Opcode ID: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction ID: dd0ba4053c6bdb050c0e262549aa376da4335980b2dde8bb0cc8774c9fa84b1c
Opcode Fuzzy Hash: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction Fuzzy Hash: 39B14A3232168096EA16EB22D4513EFA765FBDC7C4F854425FB4E57ABAEE38C605C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140057950, Relevance: 4.5, Strings: 2, Instructions: 1977COMMON

Download Yara Rule

Strings

}*, xrefs: 00000001400579C0
}*, xrefs: 0000000140057F89

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: e9887d82a581d5bcb5ea5d841605ffb3677de7d06064effe96893209b5a6e0e0
Instruction ID: 7c281f25cbc51a2c663274e483e0a5d4adc9f9b548fde4e06667abda5a9e2262
Opcode Fuzzy Hash: e9887d82a581d5bcb5ea5d841605ffb3677de7d06064effe96893209b5a6e0e0
Instruction Fuzzy Hash: 6E03CB72201B8482EB26CF23D4543ED67A1F78DBC4F994416EF4A177A6EB3AC945C380

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400263C0, Relevance: 4.3, Strings: 3, Instructions: 519COMMON

Download Yara Rule

Strings

)8GV, xrefs: 0000000140026A4D
@, xrefs: 0000000140026B3F
)8GV, xrefs: 00000001400267B0

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV$@
API String ID: 0-2802744955
Opcode ID: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
Instruction ID: d4403fa2ef2757ed15b0d897a8d3d48ae9d82dee7601a7ae60b507309942f45e
Opcode Fuzzy Hash: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
Instruction Fuzzy Hash: 8F326E72610A8095FB22EB72D8513EE6365FB997C8F940026BB4E476FADF34CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400067B0, Relevance: 4.2, Strings: 3, Instructions: 406COMMON

Download Yara Rule

Strings

POST, xrefs: 0000000140006CF6
*/*, xrefs: 0000000140006D02
GET, xrefs: 000000014000688D, 000000014000689B

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: */*$GET$POST
API String ID: 0-3233530491
Opcode ID: f5c0abb872f3f3a9c24645541f102443df8f6c01efe130de31add9333cb11604
Instruction ID: 6cf15a5ed41f927c804a0d4041fd2741414eb33ceb6b5d93e391305a3a4948eb
Opcode Fuzzy Hash: f5c0abb872f3f3a9c24645541f102443df8f6c01efe130de31add9333cb11604
Instruction Fuzzy Hash: 57125C72610A8196EB11EF72E8913DE6765F7883D8F904122FB4E57AAADF34C249C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035520, Relevance: 3.9, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140035622
GC,, xrefs: 0000000140035665
{QN, xrefs: 00000001400355E1

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,${QN
API String ID: 0-3150587038
Opcode ID: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction ID: 9244b60d004d0bd22f383007071d62e4da67c70af0efad37e4d475a9577969ab
Opcode Fuzzy Hash: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction Fuzzy Hash: D851B3726017408AEB26AF72A0517DF3392EB98398F559529FB4E0BBE9DF39C401C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140025DB0, Relevance: 2.9, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140025E65
0, xrefs: 0000000140025FF4

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0$GC,
API String ID: 0-3557465234
Opcode ID: c501a18cd752f9cb014cd0278b4cdcaf861e6727db0c1722d954af001bda1d39
Instruction ID: 8e8f5bced65d739128878f1be46f709eb140c798bd495bd8ba2efbba04664ca7
Opcode Fuzzy Hash: c501a18cd752f9cb014cd0278b4cdcaf861e6727db0c1722d954af001bda1d39
Instruction Fuzzy Hash: 90F1C132705B8086EB56DB26A5503EE77A5F788BC8F544029FF8A47BA9DF38C845C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FB20, Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

cLpS, xrefs: 000000014002FB76
cLpS, xrefs: 000000014002FB46

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS$cLpS
API String ID: 0-581437482
Opcode ID: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
Instruction ID: d6b56411a1e340b191dd7f08d0c8a8920ca136b0ade9766ce73097337fe28e3c
Opcode Fuzzy Hash: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
Instruction Fuzzy Hash: F5916E32700A41A6FB12EB72D5513ED2366AB983D8F900126BF1D97AFADF34D919D340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140039140, Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

D, xrefs: 0000000140039B2B

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction ID: a2166a60d7ca2b4a0d1872d5e3506bb785f107662951e93f9f6f62b20c08bf0e
Opcode Fuzzy Hash: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction Fuzzy Hash: 32827E3222468186EB13EB26D4907EF6365FBD8794F904612FB5A47AFADF38C605C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C5C0, Relevance: 2.1, Strings: 1, Instructions: 865COMMON

Download Yara Rule

Strings

GET, xrefs: 000000014000C5D5

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GET
API String ID: 0-1805413626
Opcode ID: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
Instruction ID: e67aa13565bd515be4758c424d677281e7e48e69fdea67d752e56d6b70eb8f16
Opcode Fuzzy Hash: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
Instruction Fuzzy Hash: 7182CFB262568082FB52EB26E491BEE6761F7C97C8F851022FB4A576E7CF38C505C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015120, Relevance: 2.1, APIs: 1, Instructions: 555COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 000000014001530B

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnvironmentExpandStrings
String ID:
API String ID: 1839112984-0
Opcode ID: 45e4f39da0bad21561b5064be163dd8534aff24f975c135ffc3a62d6c7fd4cf0
Instruction ID: c0dbe0ee55e83fb6c0f3bef3624a57e5635b4c6ed11a4d6c977be8f15ec7e338
Opcode Fuzzy Hash: 45e4f39da0bad21561b5064be163dd8534aff24f975c135ffc3a62d6c7fd4cf0
Instruction Fuzzy Hash: CB427E32710A4096FB12EB72D4913EE6765EB983D8F814422BB4D4BAFAEF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019D20, Relevance: 2.0, APIs: 1, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a32b9ce1bb685620e39e08575ae203d18ff6a72e91932ff27c8b72503ae2f13
Instruction ID: abc698a25be580435ac5d46bd6b01b3c7dd535f90f9c32282677b8a643a0cbd6
Opcode Fuzzy Hash: 3a32b9ce1bb685620e39e08575ae203d18ff6a72e91932ff27c8b72503ae2f13
Instruction Fuzzy Hash: 3C427D3271068095FB22EB76D8513EE2361EB993C8F904121BB0E5BAFAEF79C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019580, Relevance: 2.0, APIs: 1, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc47b23165564b486feb3c8182ff2dab583dad21220a6b85b8bd8ac1698894f
Instruction ID: 0bcce83d19b55e388762cc41cc2fbdfa61478623d1bee2f25155124e52c32027
Opcode Fuzzy Hash: 3bc47b23165564b486feb3c8182ff2dab583dad21220a6b85b8bd8ac1698894f
Instruction Fuzzy Hash: 8A128E3271468095FB22EB72D8913EE2355EB997C4F804026BB4E5BAFADF35C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006EB0, Relevance: 1.9, Strings: 1, Instructions: 651COMMON

Download Yara Rule

Strings

cLpS, xrefs: 00000001400072A3

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS
API String ID: 0-2886372077
Opcode ID: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction ID: 96b4c198141fe6e7034ab14ad9d5ea3cda72442e6a1109ae0a48173783152c86
Opcode Fuzzy Hash: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction Fuzzy Hash: CF528D7272464092FA12EB62E8517EE63A5FB9C7C4F814022BB4E57BBADF38C505C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400139D0, Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

m, xrefs: 000000014001422E

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID: m
API String ID: 1964310414-3775001192
Opcode ID: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
Instruction ID: 0a9d90af75a6ede7406656d6adb6787827cf479cbe6b14872f7c626c13ea0b6d
Opcode Fuzzy Hash: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
Instruction Fuzzy Hash: 6A529B32710A80A6F74EEB32C5913EE7369F788384F904026AB2947AE6DF34D576C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D100, Relevance: 1.7, Strings: 1, Instructions: 497COMMON

Download Yara Rule

Strings

s( j, xrefs: 000000014001D128

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: s( j
API String ID: 0-1450404818
Opcode ID: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction ID: 6f5b3d0b06e06ce3defbe5b62ba999e8dce43b7996f1ec96da6707378b1ebcba
Opcode Fuzzy Hash: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction Fuzzy Hash: 14325632715B9085EB16EF66D8513ED73A5FB88B88F454026EB4E5BBAADF38C505C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140029780, Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

kw9b, xrefs: 000000014002989A

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumValue
String ID: kw9b
API String ID: 858281747-837114885
Opcode ID: 8fe5edd6d85ef5fb81b21d913d03357e3fdb124ed1fc83b54cb0e6b95d0cba36
Instruction ID: a79da12e532d7eb86b4034213f2927d281404f76e1d3d8be4d202bd2a10f559e
Opcode Fuzzy Hash: 8fe5edd6d85ef5fb81b21d913d03357e3fdb124ed1fc83b54cb0e6b95d0cba36
Instruction Fuzzy Hash: D622A03270064056FB22EB62E4513EE6361EB8C7D8F814625BB4E57AFADF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033BB0, Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

U, xrefs: 000000014003408F

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: c7c17b4a929c8fca42997e9228a0bf0b46a1d4db9eb13a9c52e903abf607145f
Instruction ID: 04dcf981b535b3d5a04f4e0f983876b723d65533687fb2a3abc72c4897885b35
Opcode Fuzzy Hash: c7c17b4a929c8fca42997e9228a0bf0b46a1d4db9eb13a9c52e903abf607145f
Instruction Fuzzy Hash: 7A22A032714A8095FB22EB76D4913EE2761EB993D4F900122BB4E5BAFADF38C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023530, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

Content-Type, xrefs: 000000014002385F

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Content-Type
API String ID: 0-2058190213
Opcode ID: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
Instruction ID: 8ed0294b40edec3e111ebf6e63eddced9ff886ac8d86313f53d4d34ac86a637b
Opcode Fuzzy Hash: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
Instruction Fuzzy Hash: D0128B7271064096EB26EB72D0953EE63A5EB9D7C8F804029FB4E576B6DF34C909C341

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400389A0, Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 0000000140038A46

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID: 0
API String ID: 3535843008-4108050209
Opcode ID: 5efda3073f98ba850d64a6a6b6fb973051fc5223a8b2b59b7862bd26d1a0a119
Instruction ID: 021d52728ad99ff4b45c00a2ee63d530dbb35c35c3e7b67721d4418a9cae59c0
Opcode Fuzzy Hash: 5efda3073f98ba850d64a6a6b6fb973051fc5223a8b2b59b7862bd26d1a0a119
Instruction Fuzzy Hash: A4D1483271064185EB22EB66D8503EF6365FB987C8F944421FF4E57AAAEF34CA05C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400205A0, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

, xrefs: 000000014002069B

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
Instruction ID: 091f4e73938a5afec608f70625f4eed5baac112ec883e15b973b01c59944fd94
Opcode Fuzzy Hash: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
Instruction Fuzzy Hash: 8FB1903271164156FB26EB72C0513EE2365A78C7C8F554429BF0E67BEAEE34D906C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EED0, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

, xrefs: 000000014002F04E

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction ID: 79bcb73a3e0a748e54816e3c2b9a8955141e4b7d1d3c260807ef7fd3e9233e09
Opcode Fuzzy Hash: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction Fuzzy Hash: 4681AF3171528042FA66AB63A5513EE6382BBDC7C0F954839BF0E57BEADE38C9019750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023140, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

tI*k, xrefs: 0000000140023300

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: tI*k
API String ID: 0-257501792
Opcode ID: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction ID: 2b3e36108f388e75195695150bf3b7502d87346db4925aa772ee75e92517338c
Opcode Fuzzy Hash: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction Fuzzy Hash: C891B332710A41C6FB12EB73D4913ED2365AB987C8F815026BF0E67AABDE34C605C391

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140078570, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00000001400785BF

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP
API String ID: 0-1384759551
Opcode ID: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction ID: 36d71a898891e4cfc692b0c24b63e4f8a605753b41eb4ec31f3d0d909baacb04
Opcode Fuzzy Hash: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction Fuzzy Hash: 8541C2677244554AE3189F2598213BE2391F7E8781B008838BBC7C3B99E97CCE41C754

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004F940, Relevance: .9, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdaca1a3c271cd417c85bb097e58509ad96e32764cb2952681562445dcde157
Instruction ID: fc2f62d5942ef41123ea32f2955be4f6aadf7052ab01c2248917173129c7cd0f
Opcode Fuzzy Hash: dcdaca1a3c271cd417c85bb097e58509ad96e32764cb2952681562445dcde157
Instruction Fuzzy Hash: 8A82BD72301B8486EB269F23D4503EE67A5F78DFC4F964022EB4A577A6DB38C945C384

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140053F20, Relevance: .8, Instructions: 808COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction ID: b1defcb4bfd3908c290bb80924a7f4486985742b072abc47c5e9bd5be53152ef
Opcode Fuzzy Hash: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction Fuzzy Hash: FF72CE32601BA482EB26CF17E4503ED77A5FB99BC8F9A4016EB49477B6DB36C941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction ID: 8249503d4e55669e8e7119aec1729776b7b2f3ca46fae70a891a003f6664f3d4
Opcode Fuzzy Hash: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction Fuzzy Hash: 3472DF32201B9486EB26DB17E4603ED77A5FB9DBC5F894012EB4A477B6DB3AC941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 4bce802a55eded36f570ef6d01a06ef35652310067493a148248f362802968e3
Instruction ID: 4fdb0601fab6f7a848b28641239d596080eab1ec2c6ff824b21f12e2ef69b5a1
Opcode Fuzzy Hash: 4bce802a55eded36f570ef6d01a06ef35652310067493a148248f362802968e3
Instruction Fuzzy Hash: 48722D32724A4095EB02EB76D4913EE6765EB983C4FC05012BB4E879BBEF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction ID: d53d10191d1a85c044aba7f3ec212ac92ce5176a248edb2932ce54add84afe44
Opcode Fuzzy Hash: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction Fuzzy Hash: 9D52BE72601B8081EB269F23D4543EE77A1F78CBC4F8A5426EB4A577B6DB38D845C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction ID: 9c06e88039ccf999e040ad7794a2e2d02b6699145a9792014979c24fd1337f6c
Opcode Fuzzy Hash: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction Fuzzy Hash: B4623CB76206548BD7668F26C080B6C37B1F35DFA8F25521ADF0A43799CB39D891CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003B220, Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction ID: acd1ff4a64a9c803ec812a22a8ce79600e1464d52fdb42fb628072365476121f
Opcode Fuzzy Hash: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction Fuzzy Hash: 64429E31301A8141FA23EB6698513EF6391EB8C7E8F544616BF5A5BBEAEE38C505C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140024440, Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction ID: 78f3400fd7e206f6a511ea736ed45412fb3e7259efd4ed926287f6c9bd4c6aa7
Opcode Fuzzy Hash: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction Fuzzy Hash: E6427C32204A8096EB66EB32D0513EE67A4E79D3C8F914026F79A876F7DF38C945C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018630, Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
Instruction ID: 8108868c1ca7c4f1afbe8bd34af9d7f1e96dfbbf12b1edd0cffad3fdf1fa0b6f
Opcode Fuzzy Hash: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
Instruction Fuzzy Hash: 3F429E3231068095FB22EB72D8913EE6765EB983D8F844122BB0D97AFADF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction ID: 183f2e46b23aa86a2c091461a645f9a581571388db0d92becfc597eb429af356
Opcode Fuzzy Hash: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction Fuzzy Hash: 0732AB3271064089EB16EB36D4513EE27A5EB8CBD8F555126FF0E877BADE38C4868340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf04223ec18bb60842fe7fa632ea836e81c8b6d6b17b3371276cc931bd38ff2
Instruction ID: 71edd40f2b1ab928f6f3b4ddf8d26af45cb7d1258c95c78617a62a1a74f3288a
Opcode Fuzzy Hash: baf04223ec18bb60842fe7fa632ea836e81c8b6d6b17b3371276cc931bd38ff2
Instruction Fuzzy Hash: BF32AC3261068195EB12EB26D4913EE2765FB983C8F814122FB4E57AFBEF38C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B120, Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction ID: 3ba19fba285517c5acd5c21b3c9b7592edaf423ca2de06bba8230fcf7af2400b
Opcode Fuzzy Hash: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction Fuzzy Hash: 3C429B72624A8095FB12EB62D4957EE2365FB983C8F814022FB0D57ABBDF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction ID: eb795f204498a8d956ef0de19ff8bd43d97085c04d8ed5933d3115b51340510f
Opcode Fuzzy Hash: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction Fuzzy Hash: 7022793270064186EA23EB2AD4957EF63A5EB88BD4F554626FF0A477F6EE34C506C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003A2E0, Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction ID: 697e8bd1027fccc09012cb901671f32632dfdae7722e2c733c5167ca59ce0a7a
Opcode Fuzzy Hash: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction Fuzzy Hash: AE227C3271064186EA23EB26D4513EF63A1FB89BD4F544625EB4A577F6EF38C50AC340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B390, Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction ID: 5c003effdee5129b35cf12aebe167f862a01b0c8d0d2f43ab9f1123e32a30f31
Opcode Fuzzy Hash: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction Fuzzy Hash: 8C0203B21082A489F7768B26C9413FA7BE2E759788F254906FB8A435F5D738C9C1D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction ID: c2c66f55aa66479377f68c186b881699d763759fa92e2ffabb716b860ed1a50b
Opcode Fuzzy Hash: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction Fuzzy Hash: CD224D72710A8091EB12EB72D4913EE6765FB987C8F904116FB4E876BAEF38C245C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction ID: 217fabc6e38e1d640ccd999207fddb20e056db183073941d35cbdb4b11e649c3
Opcode Fuzzy Hash: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction Fuzzy Hash: 10229B72620A8091EB12EB62E4957EE2365F79D7C4F814022FB4E576BBDF38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction ID: 3448a1cfdf5732c1482eebf940cb1862e5db89764351cf67f11e8459266109f6
Opcode Fuzzy Hash: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction Fuzzy Hash: CD026C727006418AEB12DF26D4907EE73A6F788BC4F614525EB0E977AADF34D90AC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction ID: a963730c34943060851cd64ea719675db259de8104656558a9074d2de6a51302
Opcode Fuzzy Hash: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction Fuzzy Hash: 41128F7222468096FB52EB22D4917EE6765FBD93C8F811022FB4E57AABDF38C505C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069010, Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: bc4fe18ed797083e74f4d5cd17e8a6e4e1d5126150df91a93b346629e9c3d65f
Instruction ID: 5afa6d75f76fbbc9d7f53df6043056336d1db5d7591574d5123318d553f9c856
Opcode Fuzzy Hash: bc4fe18ed797083e74f4d5cd17e8a6e4e1d5126150df91a93b346629e9c3d65f
Instruction Fuzzy Hash: 19124E3272469096EB12EF72D8913DE6765FB987C8F815022BB0D57AABDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E170, Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 6fe5d38ad1f8690ed4216c8729f4cdddbe586800c401b9c27fb863a53c2b00d8
Instruction ID: ac8bef764291a5126b18a53dad73757551fec454a5992e6944e07fe4b855ac86
Opcode Fuzzy Hash: 6fe5d38ad1f8690ed4216c8729f4cdddbe586800c401b9c27fb863a53c2b00d8
Instruction Fuzzy Hash: 2A023B32724A80A2FB52EB72D4913EE6764FB983C4F815022BB4D57AEADF35C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FEC0, Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction ID: b67327a95b15ec145a913cc43aeca3e3a8a77925bd43874970612b3ea802a6ff
Opcode Fuzzy Hash: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction Fuzzy Hash: A802707272064095EB02EB66D4913EE6765FB987C8F905022FB4D83ABBEF34C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002980, Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 4f031dda890f5b6590393d19acee77402144b9c4bbfec744419d7f2e8af65a5e
Instruction ID: 5d574d698b33f004de0812fa71b34c36bbdae31478704d480fb686f148b39898
Opcode Fuzzy Hash: 4f031dda890f5b6590393d19acee77402144b9c4bbfec744419d7f2e8af65a5e
Instruction Fuzzy Hash: EB024C72324A8096FB12EB62D4913EE6765EB983D4FC15022BB4E57AEBDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018F80, Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8c2c1811faa848f940e4a298acd31fbb5db82ef74365df61737aab6befccc0
Instruction ID: d38a929efe70148cd0bcafb05e8c0916e90d43f0c382b2c9e415ecaf47ade149
Opcode Fuzzy Hash: ae8c2c1811faa848f940e4a298acd31fbb5db82ef74365df61737aab6befccc0
Instruction Fuzzy Hash: C8F16D32610A8095FB12EB76D8513EE6365EB983D8F940521BB0E57AFBEF35C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010880, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction ID: f0fb79f68922493fed5bc905321703954c20a875d362dace52344ff7232635a8
Opcode Fuzzy Hash: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction Fuzzy Hash: D7029272320AA19AEB42DF36C8917EE2724F748789F805016FF4B57AAAEF35C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D910, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: 5ad00df89051eaa49967073b66a19c6f1da8073d71a21332a449de5316238ce7
Instruction ID: 9c3e8f75c9e591130820bb2956cb3806339feb13e112d9af22726fcddd3bd126
Opcode Fuzzy Hash: 5ad00df89051eaa49967073b66a19c6f1da8073d71a21332a449de5316238ce7
Instruction Fuzzy Hash: 12026C32314A8095FB52EB72D4917EE2765EB983C4F805022BB4E97AEBDF35C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033540, Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e6d31ae123d367ae286cc33ede5adb79100aa8ca1f635c4c03776b42ffb831
Instruction ID: d0d419901b6e3c3183ee3913f1137c5e588d0fadc92f77f7791849e6aeb29d3b
Opcode Fuzzy Hash: 46e6d31ae123d367ae286cc33ede5adb79100aa8ca1f635c4c03776b42ffb831
Instruction Fuzzy Hash: 8A029132614A8095EB22EF32D4913EE6765FB98388F904412FB4E57AFADF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a271461545f8d7b832081a624fb0379c86db8b71a6fcc540a55edf685f09f5
Instruction ID: fccd9241a873054b7c24d42fb58abb6f012b2f7f19fe3a4c061a127f88627f2a
Opcode Fuzzy Hash: e2a271461545f8d7b832081a624fb0379c86db8b71a6fcc540a55edf685f09f5
Instruction Fuzzy Hash: 41E18E3271068095FB12EB76D8917EE6765EB983C8F804021BB0D5BAEBEF35C645C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
Instruction ID: 02ee9b89192d395c78975687d30e6fb06be8b995001c736011e159ca0d17724c
Opcode Fuzzy Hash: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
Instruction Fuzzy Hash: E2E13D32714A4095EB02EB66D4913EE6765FB983D8F900012FB4D97AFAEF34CA49C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31cd9d0c2abe67ba1f982af43b8ae355da1bd35b9ac6401d5f88127279679d0
Instruction ID: 95da75048f27146dafc5de9d612871b80806eb61125b8034b1f63b71f4cba504
Opcode Fuzzy Hash: e31cd9d0c2abe67ba1f982af43b8ae355da1bd35b9ac6401d5f88127279679d0
Instruction Fuzzy Hash: 47F12C3262498096EB12EB62D8513ED6365FBD8388F814522BB4E479FBEF74CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ffde5285e374d450e796d5cd304a5fa7d017e996fe3ac39e62eede96bb0df1
Instruction ID: cf5fdc312f2229dc6ff813412d90ddbabd12b8e4de7574aebc9877f7d05b411a
Opcode Fuzzy Hash: 88ffde5285e374d450e796d5cd304a5fa7d017e996fe3ac39e62eede96bb0df1
Instruction Fuzzy Hash: 28D19032711A4195EB12EB76D4903EE23A1EB993C4F844425BF4E57BEAEF38C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064080, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction ID: bf23390ce128f79092fde7b2b9043ef6653a4f1b38eae35900255c6e9c132ad5
Opcode Fuzzy Hash: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction Fuzzy Hash: ABC1D4231282D04BD7569B3764503FAAE91E79A3C8F280655FFC997AEBD63CC2149B10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
Instruction ID: d0d512be425b72175eef7d799d9923e381f6a995b1e0446f0295c878f1c0c086
Opcode Fuzzy Hash: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
Instruction Fuzzy Hash: CED13972724A4091EB02EB76D4913EE6765F7983C8F904016BB4D97ABAEF38C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140030530, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction ID: 96955b53f7f5b4430e01eb0035ad3df088e7672fa3a311151148bede835f9000
Opcode Fuzzy Hash: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction Fuzzy Hash: E7C16136B0564089FB22EB76D0613EF27A1AB9C388F554425BF4E976FADE34C506C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A110, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: f2e071e7f6ab674ec47851a4750d1b7c0b6bf997477befec93a155f2d50e3c60
Instruction ID: 08807915bc927436db1a901aa043915a979950c5e23cf508b5f0d65b77d78aa9
Opcode Fuzzy Hash: f2e071e7f6ab674ec47851a4750d1b7c0b6bf997477befec93a155f2d50e3c60
Instruction Fuzzy Hash: 0CD17032614A8096EB02EB26D4513EE6364FBD97C4F815122FB4D57AEBDF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F490, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction ID: f96005f1b71c62cd91ec633b0fa556b6f093996ab6e40a041e3cbd638a23d0d9
Opcode Fuzzy Hash: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction Fuzzy Hash: C1C1BD3270164096FB12EF76D4413ED23A4EB883A8F484622BF2D57AE6EF38D955D350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction ID: 38de139323f3e079e5738bdd278af51575638bb101dd3218b17e6965c0953cb4
Opcode Fuzzy Hash: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction Fuzzy Hash: 1DB16A3671062094FB46EBA2D8A17DE2365BB89BC8F825025FF0D67BA7DE38C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031540, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f425d040841da7f8aca5576ff87e7ae9262ef18f39f843680b29a7b76c8902f7
Instruction ID: bfe4e87f351d28bd3d3693bc96d2151355ab9388d993d4a46e39ffd0a3f78ad6
Opcode Fuzzy Hash: f425d040841da7f8aca5576ff87e7ae9262ef18f39f843680b29a7b76c8902f7
Instruction Fuzzy Hash: E6C16332704A809AFB22EBB2D4513EE2365AB9C3D8F854521BF1E676EADF30C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction ID: f23c3879964f3f83b961310f1bad7f7be1ef7afa2b68ec7d59790f469601a501
Opcode Fuzzy Hash: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction Fuzzy Hash: A9A10231211E8145EBA79A2798543EF27A6AB8C3D4F645825FF0E5B6E9EF34C901C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction ID: c0d98bc7e162404dc537a7c1af49e5fbe25e03b535df8b2493956c53732576b9
Opcode Fuzzy Hash: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction Fuzzy Hash: B2A114F31182A486FB778A2685413FA7FE2E719789F254402FB8A435F6C63CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066020, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction ID: d17e179c4ad3c1814a715198efb3da372d22ab0628f3c9d9f6a3a053a6971865
Opcode Fuzzy Hash: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction Fuzzy Hash: 79A1903271164045EB22EB7298507EE67E6AB9C3C8F550925BF4D47BEAEF34CA068310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction ID: 7cb660c1bafc6db3c15f0a4866a94b05aa7759728bb06ab0739d07cd917ce7e2
Opcode Fuzzy Hash: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction Fuzzy Hash: 33B18C7262464191EB12EB62E4913EE6365FB9C7C4F801022FB4E47ABBDF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction ID: ff1b56ecf022c2229069a5389c0477a62f006b84fd5f9f69eebb894724ab9066
Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction Fuzzy Hash: 44A125F21182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B424, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction ID: f965aa676d2cc64f6a485257af634002c7fef1377d4791c8bed9b1b7e56d6411
Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction Fuzzy Hash: 79A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction ID: 86c182e730ead1fa639f737d8458d4edb1cdee6041daaa12aedc2aef895c7c0c
Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction Fuzzy Hash: 83A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B436, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction ID: 7a8579acbe1e06e5dcc528155c10978c06d1d02f61772b3afab02cdca005db6d
Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction Fuzzy Hash: 3EA115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B446, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction ID: 9b5f4d2890da7bc9148b0c777fb781a5a0913674a9f0c1f21bc34f13756e8484
Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction Fuzzy Hash: 37A114F31182A489FB778A2685413FA7FE2E719789F254402FB8A475F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08ee0d756057847edd0d181a5b9af1eeafec0c3c2ab46f94514504cf2ba2413
Instruction ID: 9e8436de532ad8a8b9d83a7ce7f67d33a1e65f1b543d517c902b78be038a8119
Opcode Fuzzy Hash: f08ee0d756057847edd0d181a5b9af1eeafec0c3c2ab46f94514504cf2ba2413
Instruction Fuzzy Hash: 6FA19F3271464095EB22EB72D4913EE63A5A78C7C8F914426FF0D57AFAEE38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001010, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction ID: 891caef274385c1d9a1a05b5f8e139ad0eea2bdcde326525a3acf11d5ee056db
Opcode Fuzzy Hash: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction Fuzzy Hash: 79918D7270164095EB16EF66E4507EE23A5ABDC7C4F448425BF4E97BA6EE34C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7007dcec79cbd028848c0e6b5f903ec75487d0d5c02af892f7002b917e7028
Instruction ID: 09ec91f3f7d35e473cfa3e72b303784d96220d522314983c3d838af10b8059fe
Opcode Fuzzy Hash: 2f7007dcec79cbd028848c0e6b5f903ec75487d0d5c02af892f7002b917e7028
Instruction Fuzzy Hash: C4A16E32314A8095FB22EB72D8513EE2365EB987D4F940426BB4D57AFADF34CA05C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018300, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction ID: 9282ef7f3f2e177ec3162a27807bc3d77d508fe5c2bed51c5ff564ba7b898efa
Opcode Fuzzy Hash: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction Fuzzy Hash: 99912232B15A4099FB12EBB2D4913ED23659B9C7C8F814525BF0DA76EBEE34C609C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 32bffcc2ddfcb3d691dc0d2c9b892c77d94147a7b8145dc7682b20892f7e7318
Instruction ID: a01e236db0e61280ae7bc249da652572acbbc64743681568c883ee8cb5c556df
Opcode Fuzzy Hash: 32bffcc2ddfcb3d691dc0d2c9b892c77d94147a7b8145dc7682b20892f7e7318
Instruction Fuzzy Hash: D7916C3272468092FB12EB62D4957DE6365FB9C7C4F811022BB4D43AABDF78C544CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003EFB0, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction ID: 2085d5fbde7ab3b46fd7c59f247d5158c6ccb74e37f4a5dfc0e2ff2c0c09d730
Opcode Fuzzy Hash: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction Fuzzy Hash: 87814F36204A85C6EB679B2BE9403AF6B61F38DBD0F594512EF9A477B5CE38C442D310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400276C0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction ID: bfac23c94d9038130fb0cc9f6c7292f6f1aa2b418e68c536fc9a693e481bc66c
Opcode Fuzzy Hash: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction Fuzzy Hash: 1E91B13270164096FB22EB22D4517EE23A0EB9C3C8F855426BB4E57AFADF34C944C351

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction ID: 348a5c641c523964159132b8cb670365254cd557f13034448bd6fc243d7f1d42
Opcode Fuzzy Hash: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction Fuzzy Hash: AB81503271064095FB12EB76D8913EE63A5AB9D7C8F944621BF0D4BAEAEF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016100, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a72caf03c22970d4fef77dedbe1bee6898f8b085468b7394fac77d0cc2e7ab
Instruction ID: 4362bffb4ce140633d60009826b42a117c21897de7dbf4a94b418fc321f1d931
Opcode Fuzzy Hash: c5a72caf03c22970d4fef77dedbe1bee6898f8b085468b7394fac77d0cc2e7ab
Instruction Fuzzy Hash: 35812032714A809AFB12EB72D4513ED2365EB9C388F814425BB4E67AEBEF35C605C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032650, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2ea0aee7501054cc679b21b17b3ec8bdf9c6d9fd89a4ddb5a7d9a4c31d441e67
Instruction ID: a8b049447ef23dc7a2f3147d56ae0c312f8ac6a7955db6ed7517384e00930876
Opcode Fuzzy Hash: 2ea0aee7501054cc679b21b17b3ec8bdf9c6d9fd89a4ddb5a7d9a4c31d441e67
Instruction Fuzzy Hash: 0371893270264096FB66AB7294503EE6391EB9C7C8F054526BB1D47BEAEF39C905C360

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction ID: 4c1290556f20f3e20b66d81894b0d385f6ea8bc2319cc982c81cb2944955426d
Opcode Fuzzy Hash: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction Fuzzy Hash: 6E61B031301A4041EA66E737A9517EF97929F9D7D0FA44621BF5E877FAEE38C9028700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D850, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction ID: 50d9e92313d7fbe24902196c924c1612cff9653e99501bbf2772a847790ebefc
Opcode Fuzzy Hash: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction Fuzzy Hash: 7D618D3271464496FB22EB72C0913EE23A5ABDC7C8F854422BF4D57AEAEE35C501C791

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001620, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction ID: f8f81a1e6eeb4aa67bd22a5a7a70358e1ddf5b3241a247c9d5674b6b5ab46101
Opcode Fuzzy Hash: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction Fuzzy Hash: 9061C43262465091FB21EB26E0517EE6360FBCD7C4F815122BB5D47AEAEF79C541CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2d057d9775497d8ce77184132c21eb618076589cfab5adda7cc754a5fd0d3834
Instruction ID: f33abad4c1c8ba015261be05896130ca5dc3e7c07ce7e813c180037223ea8262
Opcode Fuzzy Hash: 2d057d9775497d8ce77184132c21eb618076589cfab5adda7cc754a5fd0d3834
Instruction Fuzzy Hash: 08718E32714A809AEB12EF76D4913EE7761F798388F844026FB4D47AAADF74C548CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: d3a452de0128449f2e5039728471469ce51d7081f01deae87ca1d54060856238
Instruction ID: 125c4d10a522e701d1fb6d0f1aef761f583aa31ccbb75f1db25899523a723602
Opcode Fuzzy Hash: d3a452de0128449f2e5039728471469ce51d7081f01deae87ca1d54060856238
Instruction Fuzzy Hash: 0151633271468052FB22EBB6E4513EE6761EBD83C4F951122BB4D47AEADE38C544CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022730, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction ID: af2d80f9b144edbe9aa630ca6e788b257520dbedf888a3db325da96401233726
Opcode Fuzzy Hash: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction Fuzzy Hash: FA612832600B8085E755DF36A481BDD33A9F78DB88FA84138EF990B36ADF318055D768

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031340, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction ID: 50cb9f747c07e87171e39f534f7bbd71060f83f950b2ada1a46c15cbddfc577a
Opcode Fuzzy Hash: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction Fuzzy Hash: A0511B32700A4096FB12EB76D4917EE2365AB9C7C8F954421BF0DA7AEADF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002F840, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction ID: 9602d307e9de31d357e639a9611a18ab9b6f2b9e1d5f0c6a8a00986c6f50d329
Opcode Fuzzy Hash: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction Fuzzy Hash: 7F51AD32200A40A2EA22EB22D9957FE63A5F7DC7D0F854626FB0D836B6DF34C556D710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: d96108c4bde49195b51d10af4498cce92db92bc86361a98dabd69ade9e6efc75
Instruction ID: aca98edda921e0e11dbb2b437e66833b6d9475281c93859f86ded24665675a69
Opcode Fuzzy Hash: d96108c4bde49195b51d10af4498cce92db92bc86361a98dabd69ade9e6efc75
Instruction Fuzzy Hash: E5516E3271465095FB52EB76E4913EE6761EBD8388F850026BB4E479EADF38C948CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060FE0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction ID: 51a026cb75a50cc44213724d5bb8c382370875f63e51d6fdf42d7c4c4c07ed92
Opcode Fuzzy Hash: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction Fuzzy Hash: 5D415F32B1066095FB12E77798517EE23A2ABCD7C4FA94421BF0E57AEBDE34C5018354

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction ID: fec891e6c53086f7b9094a78f95b73510c7007b912bc3ef8a41aa8e11e9acb14
Opcode Fuzzy Hash: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction Fuzzy Hash: 01413D31B2066095FB12EB7798513EE13A6ABDC7C4F994421BF0E97AEADE38C5058314

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction ID: 4d6ce7f696a26fe9a74b6bb9734e6d6bbac3d85ccec2ef1c97bdec5ab73240ea
Opcode Fuzzy Hash: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction Fuzzy Hash: FC51D732610B9085E785DF36E4813DD33A9F748F88F58413AAB8D4B7AADF348152C764

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400286B0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction ID: a9185cf0004c76bb3001b2cb896eaa84c5f9aff40342764b4326ba4d96cea24c
Opcode Fuzzy Hash: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction Fuzzy Hash: 9F514632310B81A2E74EDB32E5813D9B369FB8C384F908415EB9813AA6DF35D676D704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022340, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction ID: 1e1e8128ca37617077ad8d3bddb138d765a5f71e348f586f351b06e9a9582713
Opcode Fuzzy Hash: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction Fuzzy Hash: 5C51C773611B9085E745DF36E8813DD37A8F748F88F58413AEB894B6AADF308156C760

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction ID: 5f416d68214368cc8d497caad67b5ad9eebcd67f96a0df70edf52f54e079c757
Opcode Fuzzy Hash: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction Fuzzy Hash: DE31F53221099842FBA6471B9C613F93292E79C3E4F649625FB8E537F4D67DC8038B80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005370, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction ID: 604a730c127844f2816d2636316060c5dd02da03d6f4240a24423d76594c64fe
Opcode Fuzzy Hash: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction Fuzzy Hash: 55313F32610B9091E749DB36D9813DD73A9F78CB84FA58526A39847AA6DF35C177C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007EA0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.279907196.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280041890.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.280055756.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.280061058.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction ID: 1d8fa33d8030516f9812c7435f1c2f5fee2e6c5a40d503ba1f82db291cb841dc
Opcode Fuzzy Hash: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction Fuzzy Hash: 7131DC32600B4080E745DF3699813EDB3E9FBACB88FA9853697484A9B6DF35C157D310

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2588 Parent PID: 3104 rundll32.exeCOMMON

Executed Functions

Function 000001832CCF2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001832CCF23B0
VirtualProtect.KERNELBASE ref: 000001832CCF2471
RtlAvlRemoveNode.NTDLL ref: 000001832CCF25B4
VirtualProtect.KERNELBASE ref: 000001832CCF2677

Memory Dump Source

Source File: 00000002.00000002.340116582.000001832CCF0000.00000040.00000001.sdmp, Offset: 000001832CCF0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 4cdf1eb09072b7cb4d60bc7de0ad6dd430f64c1991fb8b44b5770241919415d8
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 79B151B6618BD486D730CB5AE440BDEB7A1F7C9B80F148126EEC957B58CB79C9428F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001832CCF2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001832CCF29A8), ref: 000001832CCF20A7

Memory Dump Source

Source File: 00000002.00000002.340116582.000001832CCF0000.00000040.00000001.sdmp, Offset: 000001832CCF0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: bd4da1ae6fc1de2a212d78e2fd6ce0660458cd91d1ac7dd8a134e402645469c2
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 69314972615B9086D780DF1AE45479A7BA1F389BC4F209026EF8D87B28DF3AC542CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3332 Parent PID: 5772 rundll32.exeCOMMON

Executed Functions

Function 00000241597C2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00000241597C23B0
VirtualProtect.KERNELBASE ref: 00000241597C2471
RtlAvlRemoveNode.NTDLL ref: 00000241597C25B4
VirtualProtect.KERNELBASE ref: 00000241597C2677

Memory Dump Source

Source File: 00000003.00000002.258418012.00000241597C0000.00000040.00000001.sdmp, Offset: 00000241597C0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 9b309d8f8229f6802bb74af063f5f1857113f4595d9d60648dddb56ad93a1f34
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 01B15376618BC486D770CB1AF440BDEB7A1F7C9B90F508026EE8957B58DB79C8928F40

Uniqueness

Uniqueness Score: -1.00%

Function 00000241597C2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000241597C29A8), ref: 00000241597C20A7

Memory Dump Source

Source File: 00000003.00000002.258418012.00000241597C0000.00000040.00000001.sdmp, Offset: 00000241597C0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 248ee415ea60b9caf08b1f57596b9e93f23ea15991ed19b7d1ccb8f596059ec4
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 2C315C72615B8086D790DF1AE45479A7BA0F389BC4F608026EF8D87B18DF3AC482CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2436 Parent PID: 3104 rundll32.exeCOMMON

Executed Functions

Function 000002D6C6322252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000002D6C63223B0
VirtualProtect.KERNELBASE ref: 000002D6C6322471
RtlAvlRemoveNode.NTDLL ref: 000002D6C63225B4
VirtualProtect.KERNELBASE ref: 000002D6C6322677

Memory Dump Source

Source File: 00000006.00000002.264048381.000002D6C6320000.00000040.00000001.sdmp, Offset: 000002D6C6320000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 22f51ee9eab544161f089dcece2a212402ca7b9cae22132807f9ad1785c611b8
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 5FB15576618BC486D730CB5AE444B9EB7A0F7C9B80F108026EECD57B69CB79C8518F84

Uniqueness

Uniqueness Score: -1.00%

Function 000002D6C6322057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000002D6C63229A8), ref: 000002D6C63220A7

Memory Dump Source

Source File: 00000006.00000002.264048381.000002D6C6320000.00000040.00000001.sdmp, Offset: 000002D6C6320000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 59cec30514316ee577e33d22f7c76e579a5c9ef57005d0fbe341bba40e83ce06
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 02315C72615B9086D780DF5AE45875A7BA0F389BC4F209026EF8D87B28DF3AC442CB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 800 Parent PID: 3104 rundll32.exeCOMMON

Executed Functions

Function 000002BFADEE2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000002BFADEE23B0
VirtualProtect.KERNELBASE ref: 000002BFADEE2471
RtlAvlRemoveNode.NTDLL ref: 000002BFADEE25B4
VirtualProtect.KERNELBASE ref: 000002BFADEE2677

Memory Dump Source

Source File: 00000007.00000002.274812414.000002BFADEE0000.00000040.00000001.sdmp, Offset: 000002BFADEE0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: e5ae16f0675763ddf58f9a5183a0136b24aed0878496c614a9000ba1a6419970
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 0DB13277618BC586D7708B1AE88079AB7A1F7C9B80F108026EE8D57B58DF79C8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 000002BFADEE2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000002BFADEE29A8), ref: 000002BFADEE20A7

Memory Dump Source

Source File: 00000007.00000002.274812414.000002BFADEE0000.00000040.00000001.sdmp, Offset: 000002BFADEE0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 1579be1ce7ce8e9047eaf47ab044bc3d0f6cc6666e33977ca920a2449748280b
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: D0313C76615B9086D790DF1AE49475A7BA0F389BD4F205026EF8D87B28DF7AC486CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: SysResetErr.exe PID: 484 Parent PID: 3472 SysResetErr.exeCOMMON

Executed Functions

Function 000001B360F12252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001B360F123B0
VirtualProtect.KERNELBASE ref: 000001B360F12471
RtlAvlRemoveNode.NTDLL ref: 000001B360F125B4
VirtualProtect.KERNELBASE ref: 000001B360F12677

Memory Dump Source

Source File: 00000015.00000002.388205473.000001B360F10000.00000040.00000001.sdmp, Offset: 000001B360F10000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: e4ba0e638b5336604deef18649865748cc2678e78e801e0c8a810744f0e84e58
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: EAB14576618BC486D770CB5AE480BDEBBA1F7C9B80F108026EE8957B58DB79C9518F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001B360F12057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001B360F129A8), ref: 000001B360F120A7

Memory Dump Source

Source File: 00000015.00000002.388205473.000001B360F10000.00000040.00000001.sdmp, Offset: 000001B360F10000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 185a2b795baeb5981806699e3a019e5b6a77b4a7a54ee466ff58837f92d901e6
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: DE315C72615B9086D790DF1AE49579A7BB0F389BC4F204026EF8D87B18DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF727F81424, Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 271windowcomregistryCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF727F8145D
CommandLineToArgvW.SHELL32 ref: 00007FF727F8146B
_wcsicmp.MSVCRT ref: 00007FF727F8148A
_wcsicmp.MSVCRT ref: 00007FF727F8149F
CoInitialize.OLE32 ref: 00007FF727F814AF
CoCreateInstance.OLE32 ref: 00007FF727F81504
memset.MSVCRT ref: 00007FF727F815A1
RegGetValueW.ADVAPI32 ref: 00007FF727F815DD
_wcsicmp.MSVCRT ref: 00007FF727F815EF
GetModuleHandleW.KERNEL32 ref: 00007FF727F815FB
GetModuleHandleW.KERNEL32 ref: 00007FF727F8160A
LoadStringW.USER32 ref: 00007FF727F81625
?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z.DUI70 ref: 00007FF727F8168C
?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z.DUI70 ref: 00007FF727F816AF
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z.DUI70 ref: 00007FF727F816E0
new.LIBCMT ref: 00007FF727F81728
free.MSVCRT ref: 00007FF727F81771
GetMessageW.USER32 ref: 00007FF727F817E2
TranslateMessage.USER32 ref: 00007FF727F817F1
DispatchMessageW.USER32 ref: 00007FF727F817FC
GetMessageW.USER32 ref: 00007FF727F8180F
?Destroy@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF727F8182C

Strings

main, xrefs: 00007FF727F816CC
-basicreset, xrefs: 00007FF727F81498
-factoryreset, xrefs: 00007FF727F81483
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF727F815CA
EditionID, xrefs: 00007FF727F815B4

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectMessage$Parser@_wcsicmp$CommandCreateElement@HandleLineModule$ArgvCreate@Destroy@DispatchE__@@0@Element@2@1FromInitializeInstanceLoadResource@StringTranslateV12@V32@@ValueValue@2@freememset
String ID: -basicreset$-factoryreset$EditionID$Software\Microsoft\Windows NT\CurrentVersion$main
API String ID: 2337692366-2935165486
Opcode ID: 336857f150e7de550305727871471e28a446081ce6171decfb4ff10ff273a4e1
Instruction ID: e4f02b4d90d115e60146de8832a1f1e98a97cea375f6c7c4b2213abdbdb5e72b
Opcode Fuzzy Hash: 336857f150e7de550305727871471e28a446081ce6171decfb4ff10ff273a4e1
Instruction Fuzzy Hash: B2D14F35A0CB4282EB10EF25EE50269A760FF86B84F944139D94D67765DF3CE607CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F82940, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 147windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF727F82C88: _vscwprintf.MSVCRT ref: 00007FF727F82BF0
Part of subcall function 00007FF727F82C88: vswprintf_s.MSVCRT ref: 00007FF727F82C2F

_cwprintf_s_l.LIBCMT ref: 00007FF727F82A68
OutputDebugStringW.KERNEL32 ref: 00007FF727F82A75
GetLastError.KERNEL32 ref: 00007FF727F82A7B
CurrentIP.WDSCORE ref: 00007FF727F82A83
WdsSetupLogMessageW.WDSCORE ref: 00007FF727F82AE2

Strings

Received invalid log severity %u, xrefs: 00007FF727F829BE
base\reset\util\src\logging.cpp, xrefs: 00007FF727F829D2
PushButtonReset::Logging::TraceErr, xrefs: 00007FF727F829D9
0x%08x in %hs (%hs:%d): %s, xrefs: 00007FF727F82A5C
base\reset\util\src\logging.cpp, xrefs: 00007FF727F82AC2
PushButtonReset::Logging::TraceErr, xrefs: 00007FF727F82AB6

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDebugErrorLastMessageOutputSetupString_cwprintf_s_l_vscwprintfvswprintf_s
String ID: 0x%08x in %hs (%hs:%d): %s$PushButtonReset::Logging::TraceErr$PushButtonReset::Logging::TraceErr$Received invalid log severity %u$base\reset\util\src\logging.cpp$base\reset\util\src\logging.cpp
API String ID: 4168859728-60570639
Opcode ID: 17fa034e02b5cecf0ba1863e50a811701f33ab0a8bbf20d035774f3931be43b9
Instruction ID: e97f5c899a639285f33fb2e6e147f7bb25ce1533b53651e49f0ce465061f86b9
Opcode Fuzzy Hash: 17fa034e02b5cecf0ba1863e50a811701f33ab0a8bbf20d035774f3931be43b9
Instruction Fuzzy Hash: 7B617532A0CB4686E7109F19ED4026AB7A0FB85B94F804235DA5D277A5DF3CEA47CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F83E10, Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF727F83E41
GetCurrentProcessId.KERNEL32 ref: 00007FF727F83E4F
GetCurrentThreadId.KERNEL32 ref: 00007FF727F83E5B
GetTickCount.KERNEL32 ref: 00007FF727F83E67
GetTickCount.KERNEL32 ref: 00007FF727F83E77
QueryPerformanceCounter.KERNEL32 ref: 00007FF727F83E92

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 22365f55047b8282afbcf7675dea09df27e9caf06650ebe1148e72bd3d537c88
Instruction ID: 22aa8e076da61cb6efba7143293f0ba59e4153c32f76de903285d7bfbebfa8ff
Opcode Fuzzy Hash: 22365f55047b8282afbcf7675dea09df27e9caf06650ebe1148e72bd3d537c88
Instruction Fuzzy Hash: 32112122719F418ADB00EF71ED440A873A4FB0E758F800A35EA5D87758EF3CD6A68750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F82128, Relevance: 4.5, APIs: 3, Instructions: 44COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?,?,00007FF727F81D8D), ref: 00007FF727F82145
LockResource.KERNEL32(?,?,?,00007FF727F81D8D), ref: 00007FF727F82157
SizeofResource.KERNEL32(?,?,?,00007FF727F81D8D), ref: 00007FF727F8216B

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 1fa94586d1fc40916ba3c962a28bafbaf877ee03f7615a8da1a4ce2aac930dcd
Instruction ID: 73cdb2c8ea7067c5691d109b8f223120d5b53289dadd70d50e747c99198db8c7
Opcode Fuzzy Hash: 1fa94586d1fc40916ba3c962a28bafbaf877ee03f7615a8da1a4ce2aac930dcd
Instruction Fuzzy Hash: 5F01D621B1DA5281EF145B11AD0017AA2A0EF5AFA4F9C4431DE1D17395DE3CE9438A10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F83F04, Relevance: 4.5, APIs: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF727F83F0F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF727F83F18
GetCurrentProcess.KERNEL32 ref: 00007FF727F83F1E

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: 229d95f6cd2ef6a8adb030f9b6b2c0755bfa3130dff61b2c4f1329930a19c01d
Instruction ID: 575f3d9aedc99c62f5067003e868da264cc0a6a1ef556e1051a43678541d3185
Opcode Fuzzy Hash: 229d95f6cd2ef6a8adb030f9b6b2c0755bfa3130dff61b2c4f1329930a19c01d
Instruction Fuzzy Hash: 0FD0C755E1D506C6F71837616D190355220FB5EB45F441534C91B9D72AED3C56474B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F83C80, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF727F83C8B

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 08c8b276110c405c8124390fa3691ec11c0b341d04a4dd0bf3a9ffa6c4be2165
Instruction ID: 8161317a444c214be87b6e20adcbca99c78b20b0805a0441346a5d9a5e664cf4
Opcode Fuzzy Hash: 08c8b276110c405c8124390fa3691ec11c0b341d04a4dd0bf3a9ffa6c4be2165
Instruction Fuzzy Hash: 48B09214E69402C1D608BB219D89064A2A0BF5A708FC10430C00D95120EE1C929B8B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F81090, Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF727F81094

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 7356b02fe8cea85e9e447eb5f9eb4ec2ee885ce811f0f907d72f4f8f8cc4d79f
Instruction ID: adc9ea2bc5d377ebc348b0e472efe97945a8ecbaea19ccbd4c23e2cc377fcd5c
Opcode Fuzzy Hash: 7356b02fe8cea85e9e447eb5f9eb4ec2ee885ce811f0f907d72f4f8f8cc4d79f
Instruction Fuzzy Hash: A6D06724D0DB83D0E610AB50AE94274B3A0FF57714FD00135C46D76665EE2C635B9B65

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F826FC, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF727F82C88: _vscwprintf.MSVCRT ref: 00007FF727F82BF0
Part of subcall function 00007FF727F82C88: vswprintf_s.MSVCRT ref: 00007FF727F82C2F

_cwprintf_s_l.LIBCMT ref: 00007FF727F82813
OutputDebugStringW.KERNEL32 ref: 00007FF727F82820
GetLastError.KERNEL32 ref: 00007FF727F82826
CurrentIP.WDSCORE ref: 00007FF727F8282E
WdsSetupLogMessageW.WDSCORE ref: 00007FF727F8288E

Strings

Received invalid log severity %u, xrefs: 00007FF727F82779
base\reset\util\src\logging.cpp, xrefs: 00007FF727F8278D
PushButtonReset::Logging::Trace, xrefs: 00007FF727F82862
PushButtonReset::Logging::Trace, xrefs: 00007FF727F82794
0x%08x in %hs (%hs:%d): %s, xrefs: 00007FF727F82A5C
base\reset\util\src\logging.cpp, xrefs: 00007FF727F8286E, 00007FF727F82AC2
Unknown, xrefs: 00007FF727F827AA
Error, xrefs: 00007FF727F827B3
Info, xrefs: 00007FF727F827D1
Warn, xrefs: 00007FF727F827C2
PushButtonReset::Logging::TraceErr, xrefs: 00007FF727F82AB6
%s: %s, xrefs: 00007FF727F82807

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDebugErrorLastMessageOutputSetupString_cwprintf_s_l_vscwprintfvswprintf_s
String ID: %s: %s$0x%08x in %hs (%hs:%d): %s$Error$Info$PushButtonReset::Logging::Trace$PushButtonReset::Logging::Trace$PushButtonReset::Logging::TraceErr$Received invalid log severity %u$Unknown$Warn$base\reset\util\src\logging.cpp$base\reset\util\src\logging.cpp
API String ID: 4168859728-3573253688
Opcode ID: 74aa1e8ccf68d22cada131e4dd5809a3fad1d99e96a70e2be4231378b107fd4b
Instruction ID: 1b8d8f252276aef087b69ab6b8bc60a44e66ad4b4f98f4008b669107678e5c85
Opcode Fuzzy Hash: 74aa1e8ccf68d22cada131e4dd5809a3fad1d99e96a70e2be4231378b107fd4b
Instruction Fuzzy Hash: 1A617372A0CB4681EB10AF15ED44369B3A0FB46BA0F844236D95D277A5DF3CEA47CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F82E20, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 211memorycomCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF727F82CD0: OpenEventW.KERNEL32 ref: 00007FF727F82CFD
Part of subcall function 00007FF727F82CD0: GetLastError.KERNEL32 ref: 00007FF727F82D1C
Part of subcall function 00007FF727F82CD0: GetLastError.KERNEL32 ref: 00007FF727F82D5F
Part of subcall function 00007FF727F82CD0: CloseHandle.KERNEL32 ref: 00007FF727F82DFA

CoCreateInstance.OLE32 ref: 00007FF727F82EC6
SysAllocString.OLEAUT32 ref: 00007FF727F82F84
SysAllocString.OLEAUT32 ref: 00007FF727F83053
SysFreeString.OLEAUT32 ref: 00007FF727F83103
SysFreeString.OLEAUT32 ref: 00007FF727F83138

Strings

Failed to wait for task scheduler launch, attempting to delete task anyways, xrefs: 00007FF727F82E6A
Failed to delete [%s], xrefs: 00007FF727F830D4
Failed to open root task folder, xrefs: 00007FF727F83025
Failed to create task service object, xrefs: 00007FF727F82ED7
PushButtonReset::ScheduledTask::Delete, xrefs: 00007FF727F82E5A
Failed to allocate folderPath, xrefs: 00007FF727F82FA1
base\reset\util\src\scheduledtask.cpp, xrefs: 00007FF727F82E53
Failed to connect to task scheduler service, xrefs: 00007FF727F82F56
Failed to allocate taskName, xrefs: 00007FF727F83070

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocErrorFreeLast$CloseCreateEventHandleInstanceOpen
String ID: Failed to allocate folderPath$Failed to allocate taskName$Failed to connect to task scheduler service$Failed to create task service object$Failed to delete [%s]$Failed to open root task folder$Failed to wait for task scheduler launch, attempting to delete task anyways$PushButtonReset::ScheduledTask::Delete$base\reset\util\src\scheduledtask.cpp
API String ID: 3522896565-3640792692
Opcode ID: ef292b8697131cd69190c7f22a8c8dc9d03f6d61c623a2426ecdcf21e5a7eb32
Instruction ID: 4bb82170ec8bb8b713c8e6a7b52309e4222149c73f8750830067dce71326c7f3
Opcode Fuzzy Hash: ef292b8697131cd69190c7f22a8c8dc9d03f6d61c623a2426ecdcf21e5a7eb32
Instruction Fuzzy Hash: D3A13B26B08F4286EB10DB51ED402ADB3A1FB4AB98F800235DE5D67765DF38E647C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F82CD0, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 79synchronizationCOMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32 ref: 00007FF727F82CFD
GetLastError.KERNEL32 ref: 00007FF727F82D1C
GetLastError.KERNEL32 ref: 00007FF727F82D5F
WaitForSingleObject.KERNEL32 ref: 00007FF727F82D7B
GetLastError.KERNEL32 ref: 00007FF727F82D87
GetLastError.KERNEL32 ref: 00007FF727F82DD0
CloseHandle.KERNEL32 ref: 00007FF727F82DFA

Strings

Global\SC_AutoStartComplete, xrefs: 00007FF727F82CEC
PbrWaitForTaskService, xrefs: 00007FF727F82D50, 00007FF727F82DBF
Failed to open event [%s], xrefs: 00007FF727F82D35
Failed to wait for [%s] event (wait: [%u]), xrefs: 00007FF727F82DA4
base\reset\util\src\scheduledtask.cpp, xrefs: 00007FF727F82D49, 00007FF727F82DB8
3, xrefs: 00007FF727F82DB0

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CloseEventHandleObjectOpenSingleWait
String ID: 3$Failed to open event [%s]$Failed to wait for [%s] event (wait: [%u])$Global\SC_AutoStartComplete$PbrWaitForTaskService$base\reset\util\src\scheduledtask.cpp
API String ID: 2650214448-3948170186
Opcode ID: 514a21734493c4f090ce6a80480b538d49cf9d5719740612c7f4055c3c13260a
Instruction ID: aee5628d46c66eb72d1d0792166e00d3f56c185c1e103ecfaf2387e321325ebd
Opcode Fuzzy Hash: 514a21734493c4f090ce6a80480b538d49cf9d5719740612c7f4055c3c13260a
Instruction Fuzzy Hash: FF31733690CB4285E310AB25ED04269B3E5FB857A0F954335DA6D573A9EF3CD607CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F8374C, Relevance: 10.6, APIs: 7, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF727F83774
Sleep.KERNEL32 ref: 00007FF727F837AB
_amsg_exit.MSVCRT ref: 00007FF727F837C9
_initterm.MSVCRT ref: 00007FF727F83854
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF727F83881
exit.MSVCRT ref: 00007FF727F83926
_cexit.MSVCRT ref: 00007FF727F83935

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
String ID:
API String ID: 642454821-0
Opcode ID: f676deb1d04620fea3cfd7b3dec8ccf9e5be4787d0c1444ba8255d79a22d55cd
Instruction ID: 6aab7d49b84db72914036482e645045dac11d284cd5d2af9c1c12bb82a4d3069
Opcode Fuzzy Hash: f676deb1d04620fea3cfd7b3dec8ccf9e5be4787d0c1444ba8255d79a22d55cd
Instruction Fuzzy Hash: CB614722A0D64282EB60AB15EE4423DB2A1FF46750F844135D94DA76A5DF3CEA43CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F8256C, Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

FindResourceExW.KERNEL32(?,?,?,00007FF727F826A3,?,?,?,?,?,00007FF727F81291), ref: 00007FF727F8259D
LoadResource.KERNEL32(?,?,?,00007FF727F826A3,?,?,?,?,?,00007FF727F81291), ref: 00007FF727F825AF
LockResource.KERNEL32(?,?,?,00007FF727F826A3,?,?,?,?,?,00007FF727F81291), ref: 00007FF727F825BD
GetLastError.KERNEL32(?,?,?,00007FF727F826A3,?,?,?,?,?,00007FF727F81291), ref: 00007FF727F82621
GetLastError.KERNEL32(?,?,?,00007FF727F826A3,?,?,?,?,?,00007FF727F81291), ref: 00007FF727F82630
GetLastError.KERNEL32(?,?,?,00007FF727F826A3,?,?,?,?,?,00007FF727F81291), ref: 00007FF727F8263F

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastResource$FindLoadLock
String ID:
API String ID: 2613642035-0
Opcode ID: f1a87b87f09daf156b1451b7ae7baa8afaaa0408cc015ede1b757b2b75aabbb8
Instruction ID: bc918bcc77372268eb24d7ea32486dc15b73aa4555ea73cfe3e6c2fa31a4ecd5
Opcode Fuzzy Hash: f1a87b87f09daf156b1451b7ae7baa8afaaa0408cc015ede1b757b2b75aabbb8
Instruction Fuzzy Hash: B821C561F0DB4286EB146F65AD5023AB2A0EF45F40F888138DA4E9B755DE3CFD539A20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F84380, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

UnregisterClassA.USER32 ref: 00007FF727F843CC
free.MSVCRT ref: 00007FF727F843EE
DeleteCriticalSection.KERNEL32 ref: 00007FF727F84411
free.MSVCRT ref: 00007FF727F8442A
free.MSVCRT ref: 00007FF727F84470

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: free$ClassCriticalDeleteSectionUnregister
String ID:
API String ID: 46291987-0
Opcode ID: b44f2ee5fbf650efd21bf89df4c6f555adfe3790e0b4005e3c5698aaaed114c9
Instruction ID: 2bcaa6789f2361891eeb12644ec3955d9971afdcae9b1a52354060b2db1a1dc3
Opcode Fuzzy Hash: b44f2ee5fbf650efd21bf89df4c6f555adfe3790e0b4005e3c5698aaaed114c9
Instruction Fuzzy Hash: E7213D20E1DB0386FB00AB21EE84734B260FF52B55FC40134C42D361A5DF2CA69B9F28

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727F81910, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF727F8195C
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF727F81978

Memory Dump Source

Source File: 00000015.00000002.389646712.00007FF727F81000.00000020.00020000.sdmp, Offset: 00007FF727F80000, based on PE: true

Associated: 00000015.00000002.389633645.00007FF727F80000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389722408.00007FF727F86000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.389735730.00007FF727F89000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.389748317.00007FF727F8B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 56639f76868619aa43dbcae2f4edc8e7ddcfe7a5a661f53037de7ac10728083f
Instruction ID: be1fbab40eb450e70ce8f62038e5b5f526b7e79cb46af43633691c2169ad768b
Opcode Fuzzy Hash: 56639f76868619aa43dbcae2f4edc8e7ddcfe7a5a661f53037de7ac10728083f
Instruction Fuzzy Hash: 3E212C65A1DA0281EB10EB15EE54378B3A1FB4AB94FD44136D90D633A4CF3CE247CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RecoveryDrive.exe PID: 6092 Parent PID: 3472 RecoveryDrive.exeCOMMON

Executed Functions

Function 00000120A4552252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00000120A45523B0
VirtualProtect.KERNELBASE ref: 00000120A4552471
RtlAvlRemoveNode.NTDLL ref: 00000120A45525B4
VirtualProtect.KERNELBASE ref: 00000120A4552677

Memory Dump Source

Source File: 00000018.00000002.415883695.00000120A4550000.00000040.00000001.sdmp, Offset: 00000120A4550000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 65512c545a1189f108e6395148393f296ea7a862ee907b0ff602008ae0f559eb
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 5EB15376618BC486D730CB1AF4407EEB7A0F7C9B80F518126EE8957B59DB79C8518F40

Uniqueness

Uniqueness Score: -1.00%

Function 00000120A4552057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000120A45529A8), ref: 00000120A45520A7

Memory Dump Source

Source File: 00000018.00000002.415883695.00000120A4550000.00000040.00000001.sdmp, Offset: 00000120A4550000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 933ab21d722b8877371c35b6c3a5fca811d2b10047533011a2f2eb3d4a1266ab
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: BA315C76615B9086D780DF1AE45479A7BB0F389BC4F614126EF8E87B29DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7BC7EAEEC, Relevance: 51.2, APIs: 17, Strings: 12, Instructions: 488memoryCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF7BC7EAF83
GetFileAttributesW.KERNEL32 ref: 00007FF7BC7EAFCE
GetProcessHeap.KERNEL32 ref: 00007FF7BC7EB64B
HeapFree.KERNEL32 ref: 00007FF7BC7EB659
GetProcessHeap.KERNEL32 ref: 00007FF7BC7EB66C
HeapFree.KERNEL32 ref: 00007FF7BC7EB67B
GetProcessHeap.KERNEL32 ref: 00007FF7BC7EB696
HeapFree.KERNEL32 ref: 00007FF7BC7EB6A4

Part of subcall function 00007FF7BC7D3D44: GetProcessHeap.KERNEL32 ref: 00007FF7BC7D3E41
Part of subcall function 00007FF7BC7D3D44: HeapFree.KERNEL32 ref: 00007FF7BC7D3E50

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC7EB4EE, 00007FF7BC7EB614
MediaLayout: Checking source layout path: [%s], xrefs: 00007FF7BC7EAF6D
Sources, xrefs: 00007FF7BC7EAF4E
CDlpActionWimLayout::ActionMediaToLayout, xrefs: 00007FF7BC7EB4E7, 00007FF7BC7EB60D
support, xrefs: 00007FF7BC7EB0E8
MediaLayout: Copying layout path: [%s]..., xrefs: 00007FF7BC7EB3D5
sources\xp, xrefs: 00007FF7BC7EB078
MediaLayout: Checking target layout path: [%s], xrefs: 00007FF7BC7EAFB8
MediaLayout: Calculating size of media path: [%s]..., xrefs: 00007FF7BC7EB1C8
Efi, xrefs: 00007FF7BC7EAF43
sources\vista, xrefs: 00007FF7BC7EB008
Boot, xrefs: 00007FF7BC7EAF38

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$AttributesFile
String ID: %s(%d): Result = 0x%X$Boot$CDlpActionWimLayout::ActionMediaToLayout$Efi$MediaLayout: Calculating size of media path: [%s]...$MediaLayout: Checking source layout path: [%s]$MediaLayout: Checking target layout path: [%s]$MediaLayout: Copying layout path: [%s]...$Sources$sources\vista$sources\xp$support
API String ID: 1958223705-3375957429
Opcode ID: 716b6670ee626857af3052adb30a7a13ca8ab1ee4151a6e90f9ee36f6a98aa6a
Instruction ID: 5951bdfd1d04f65cc53e9d1999dfa6d6cef868a3a5da48a5670b78c2e4a56280
Opcode Fuzzy Hash: 716b6670ee626857af3052adb30a7a13ca8ab1ee4151a6e90f9ee36f6a98aa6a
Instruction Fuzzy Hash: B622B262B0964386FB10EF69D45067DABA9FF9A748F818136DF0D97698DF3CE1008724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC846D24, Relevance: 49.4, APIs: 20, Strings: 8, Instructions: 437memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7BC846E8D
WinHttpQueryHeaders.WINHTTP ref: 00007FF7BC846EBC
_wcstoui64.MSVCRT ref: 00007FF7BC846ED0
GetLastError.KERNEL32 ref: 00007FF7BC846EF5
WinHttpCloseHandle.WINHTTP ref: 00007FF7BC846F28
WinHttpCloseHandle.WINHTTP ref: 00007FF7BC846F3D
GetProcessHeap.KERNEL32 ref: 00007FF7BC846FA4
HeapAlloc.KERNEL32 ref: 00007FF7BC846FB2
WinHttpQueryDataAvailable.WINHTTP ref: 00007FF7BC847021
GetLastError.KERNEL32 ref: 00007FF7BC84702B
WinHttpReadData.WINHTTP ref: 00007FF7BC8470C5
WinHttpQueryDataAvailable.WINHTTP ref: 00007FF7BC84713A
GetLastError.KERNEL32 ref: 00007FF7BC8471AF
GetProcessHeap.KERNEL32 ref: 00007FF7BC8472FA
HeapFree.KERNEL32 ref: 00007FF7BC847308
WinHttpCloseHandle.WINHTTP ref: 00007FF7BC847317
WinHttpCloseHandle.WINHTTP ref: 00007FF7BC847328
SysFreeString.OLEAUT32 ref: 00007FF7BC847338
GetLastError.KERNEL32 ref: 00007FF7BC847365

Part of subcall function 00007FF7BC845EB0: WinHttpCloseHandle.WINHTTP ref: 00007FF7BC846005
Part of subcall function 00007FF7BC845EB0: WinHttpCloseHandle.WINHTTP ref: 00007FF7BC846014
Part of subcall function 00007FF7BC845EB0: GlobalFree.KERNEL32 ref: 00007FF7BC846024
Part of subcall function 00007FF7BC845EB0: GlobalFree.KERNEL32 ref: 00007FF7BC846034
Part of subcall function 00007FF7BC845EB0: GlobalFree.KERNEL32 ref: 00007FF7BC846048
Part of subcall function 00007FF7BC845EB0: GlobalFree.KERNEL32 ref: 00007FF7BC846057
Part of subcall function 00007FF7BC845EB0: GlobalFree.KERNEL32 ref: 00007FF7BC846066

GetLastError.KERNEL32 ref: 00007FF7BC8473B0

Part of subcall function 00007FF7BC7D3D44: GetProcessHeap.KERNEL32 ref: 00007FF7BC7D3E41
Part of subcall function 00007FF7BC7D3D44: HeapFree.KERNEL32 ref: 00007FF7BC7D3E50

Strings

PrepareFile: WinHttpQueryHeaders failed -> [0x%X], xrefs: 00007FF7BC8473D3
%s(%d): Result = 0x%X, xrefs: 00007FF7BC846DBA, 00007FF7BC846E56, 00007FF7BC846FE7, 00007FF7BC847077, 00007FF7BC8471F5, 00007FF7BC847263
GET, xrefs: 00007FF7BC846F64
PrepareFile: Content-Length=[%I64u], xrefs: 00007FF7BC847161
HEAD, xrefs: 00007FF7BC846E27
PrepareFile: HEAD -> Content-Length=[%I64u], xrefs: 00007FF7BC846EE9
CDlpTransportHttp::PrepareFile, xrefs: 00007FF7BC846DB3, 00007FF7BC846E4F, 00007FF7BC846FE0, 00007FF7BC847070, 00007FF7BC8471FC, 00007FF7BC84725C
PrepareFile: Content-Length header not found. Trying GET..., xrefs: 00007FF7BC846F0F

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Http$Free$CloseHandleHeap$ErrorGlobalLast$DataProcessQuery$Available$AllocHeadersReadString_wcstoui64memset
String ID: %s(%d): Result = 0x%X$CDlpTransportHttp::PrepareFile$GET$HEAD$PrepareFile: Content-Length header not found. Trying GET...$PrepareFile: Content-Length=[%I64u]$PrepareFile: HEAD -> Content-Length=[%I64u]$PrepareFile: WinHttpQueryHeaders failed -> [0x%X]
API String ID: 2170522802-2196169704
Opcode ID: 225608a782177e5753bda6f5f42c44571181bc7fab62a0e16ea281cde4660671
Instruction ID: e4d92c84ecc8a78951e234a870fcb9a91404443f2f4cfc8a727f16d3fe6ff8ee
Opcode Fuzzy Hash: 225608a782177e5753bda6f5f42c44571181bc7fab62a0e16ea281cde4660671
Instruction Fuzzy Hash: 071295B1A0C6428AFB50AF59D440279A3A5FFA6784F948139EF4E8765CDF3CE454C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7D8D98, Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 391COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7BC7D8EFA
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7BC7D8F0F
SysFreeString.OLEAUT32 ref: 00007FF7BC7D8F78
memset.MSVCRT ref: 00007FF7BC7D900F
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7BC7D9024
GetLastError.KERNEL32 ref: 00007FF7BC7D9085

Part of subcall function 00007FF7BC7D8BD8: memset.MSVCRT ref: 00007FF7BC7D8C12
Part of subcall function 00007FF7BC7D8BD8: GetVolumePathNameW.KERNEL32 ref: 00007FF7BC7D8C25
Part of subcall function 00007FF7BC7D8BD8: GetLastError.KERNEL32 ref: 00007FF7BC7D8C2F

SysFreeString.OLEAUT32 ref: 00007FF7BC7D9147
memset.MSVCRT ref: 00007FF7BC7D91E3
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7BC7D91F8
GetLastError.KERNEL32 ref: 00007FF7BC7D9259

Part of subcall function 00007FF7BC7D3D44: GetProcessHeap.KERNEL32 ref: 00007FF7BC7D3E41
Part of subcall function 00007FF7BC7D3D44: HeapFree.KERNEL32 ref: 00007FF7BC7D3E50

SysFreeString.OLEAUT32 ref: 00007FF7BC7D92EC
SysFreeString.OLEAUT32 ref: 00007FF7BC7D933A
GetLastError.KERNEL32 ref: 00007FF7BC7D9389

Strings

CheckComponentOnVolume, xrefs: 00007FF7BC7D8E2B, 00007FF7BC7D90C6
%s(%d): Result = 0x%X, xrefs: 00007FF7BC7D8E32, 00007FF7BC7D90CD
z, xrefs: 00007FF7BC7D9127
Create Snapshot: Failed to check whether [%s] is on volume [%s]: 0x%08x. Assuming the file path is invalid and skipping it., xrefs: 00007FF7BC7D8F52, 00007FF7BC7D906F, 00007FF7BC7D9243

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$ErrorLastStringmemset$EnvironmentExpandStrings$Heap$NamePathProcessVolume
String ID: %s(%d): Result = 0x%X$CheckComponentOnVolume$Create Snapshot: Failed to check whether [%s] is on volume [%s]: 0x%08x. Assuming the file path is invalid and skipping it.$z
API String ID: 2795443547-2796581484
Opcode ID: 2abdd0ea8c4e5c72548ff923ca0b12f599104cb9a038eae199693091ce183e90
Instruction ID: c05f5f9a96030ed67c2163f30a752550def98d0db095c1c92406ddf7c6d0fccb
Opcode Fuzzy Hash: 2abdd0ea8c4e5c72548ff923ca0b12f599104cb9a038eae199693091ce183e90
Instruction Fuzzy Hash: EC026361A0864386FB50AF1DE44037AA7A0FFAAB44F948136DB5E8769CDF7DD444C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7D7DE0, Relevance: 28.6, APIs: 19, Instructions: 126windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF7BC7D7E2E
memset.MSVCRT ref: 00007FF7BC7D7E49
LoadStringW.USER32 ref: 00007FF7BC7D7E65
CloseHandle.KERNEL32 ref: 00007FF7BC7D7E86
GetDlgItem.USER32 ref: 00007FF7BC7D7ED1
SendMessageW.USER32 ref: 00007FF7BC7D7EEA
GetParent.USER32 ref: 00007FF7BC7D7EF3
PostMessageW.USER32 ref: 00007FF7BC7D7F0C
GetParent.USER32 ref: 00007FF7BC7D7F15
PostMessageW.USER32 ref: 00007FF7BC7D7F2A
ResetEvent.KERNEL32 ref: 00007FF7BC7D7F40
CreateThread.KERNEL32 ref: 00007FF7BC7D7F5F
WaitForSingleObject.KERNEL32 ref: 00007FF7BC7D7F77
GetParent.USER32 ref: 00007FF7BC7D7F89
SendMessageW.USER32 ref: 00007FF7BC7D7F9D
GetParent.USER32 ref: 00007FF7BC7D7FAB
SendMessageW.USER32 ref: 00007FF7BC7D7FC3
SendMessageW.USER32 ref: 00007FF7BC7D7FEB
SetWindowLongPtrW.USER32 ref: 00007FF7BC7D7FF9

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$ParentSend$ItemPost$CloseCreateEventHandleLoadLongObjectResetSingleStringThreadWaitWindowmemset
String ID:
API String ID: 2127488274-0
Opcode ID: 594761618e2b57d4206632e5043f5f541180ac2bec4a2eb76def4e02b196baa7
Instruction ID: aebf72438477db353da12fcc9fbe4911ce165d0f455fc414236e0b37e2cca6a2
Opcode Fuzzy Hash: 594761618e2b57d4206632e5043f5f541180ac2bec4a2eb76def4e02b196baa7
Instruction Fuzzy Hash: 6A51A471B08A4282F750AB19EC04739A355BFAAB91F948135CF5D47BACDF7CE8168720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC855D8C, Relevance: 25.7, APIs: 17, Instructions: 199memoryfileCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855E41
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855E4B
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855E92
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855E9D
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855EAA
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855EB8
InitializeAcl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855EDE
AddAccessAllowedAce.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855F02
AddAccessAllowedAce.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855F1F
CreateFileW.KERNEL32 ref: 00007FF7BC855F54
SetSecurityInfo.ADVAPI32 ref: 00007FF7BC855FB5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC855FFF
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC85600B
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC856019
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC856029
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC856038
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC856046

Part of subcall function 00007FF7BC857160: GetProcessHeap.KERNEL32 ref: 00007FF7BC85736B
Part of subcall function 00007FF7BC857160: HeapFree.KERNEL32 ref: 00007FF7BC857379
Part of subcall function 00007FF7BC857160: GetProcessHeap.KERNEL32 ref: 00007FF7BC857385
Part of subcall function 00007FF7BC857160: HeapFree.KERNEL32 ref: 00007FF7BC857393
Part of subcall function 00007FF7BC857160: CloseHandle.KERNEL32 ref: 00007FF7BC8573A8

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$AccessAllowedCloseHandleInitializeLength$AllocAllocateCreateErrorFileInfoLastSecurity
String ID:
API String ID: 411975645-0
Opcode ID: b99e8d504a57fb8b84f7aa0c1a5a34476cc1cd46546921c0e49d12a053d272c2
Instruction ID: 3491a9ce40df27b512cd49324690cb5537aac8f1ac8822a67cb666a1cce63230
Opcode Fuzzy Hash: b99e8d504a57fb8b84f7aa0c1a5a34476cc1cd46546921c0e49d12a053d272c2
Instruction Fuzzy Hash: D381C725B08A4286FB10AF29A91037EA751BF56BB8F808234DF2E577D8DF7DD4258310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7EBD70, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF7BC7EBE8E
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC7EBED1
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC7EBF44
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC7EBF87
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC7EBFE2
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC7EC025
GetFileAttributesW.KERNEL32 ref: 00007FF7BC7EC075

Part of subcall function 00007FF7BC7D681C: memset.MSVCRT ref: 00007FF7BC7D683F
Part of subcall function 00007FF7BC7D681C: EnterCriticalSection.KERNEL32 ref: 00007FF7BC7D6870

LeaveCriticalSection.KERNEL32 ref: 00007FF7BC7EC1A3

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC7EC0CA
CDlpActionWimLayout::ProcessImageFile, xrefs: 00007FF7BC7EC0C3

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$AttributesEnterFilememset
String ID: %s(%d): Result = 0x%X$CDlpActionWimLayout::ProcessImageFile
API String ID: 4293412323-2879959298
Opcode ID: 7ef1484f5a800b82577782cd217c9730d3dd11f424a83a7a190ece41a277b89c
Instruction ID: ecef925b52def9cc247abba59a528dd46e6d6c8b59d53f353c9f3e8af2caca68
Opcode Fuzzy Hash: 7ef1484f5a800b82577782cd217c9730d3dd11f424a83a7a190ece41a277b89c
Instruction Fuzzy Hash: ADC19272A0874286EB64AF69E8441BDB7A5FB99784F408135EB9E4769DDF3CE400C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC80FE20, Relevance: 12.1, APIs: 8, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF7BC80FE54
GetProcessHeap.KERNEL32 ref: 00007FF7BC80FE67
HeapAlloc.KERNEL32 ref: 00007FF7BC80FE78
DeviceIoControl.API-MS-WIN-CORE-IO-L1-1-0 ref: 00007FF7BC80FEA9
GetLastError.KERNEL32 ref: 00007FF7BC80FEB3
GetProcessHeap.KERNEL32 ref: 00007FF7BC80FED0
HeapFree.KERNEL32 ref: 00007FF7BC80FEDE
SetLastError.KERNEL32 ref: 00007FF7BC80FEFC

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$ErrorLast$Process$AllocControlDeviceFree
String ID:
API String ID: 432944198-0
Opcode ID: f6e6e548968908baaf651dba53ff2cffae9d3f49d3b7b62ad47f3b1a01420e6c
Instruction ID: 37091820ed4ad403444d791be1256d927756beecb5c0cc6d62381502cd55a892
Opcode Fuzzy Hash: f6e6e548968908baaf651dba53ff2cffae9d3f49d3b7b62ad47f3b1a01420e6c
Instruction Fuzzy Hash: 3F219131B0874282F710AB29A844629B7D1FBAAFA0F95C535DF5E47BA8DF3CE4518610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC842EA8, Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 307COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BC7D681C: memset.MSVCRT ref: 00007FF7BC7D683F
Part of subcall function 00007FF7BC7D681C: EnterCriticalSection.KERNEL32 ref: 00007FF7BC7D6870

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BC8433DB

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC84335F
Z, xrefs: 00007FF7BC843350
CDlpTransportBits::UpdateFileProgress, xrefs: 00007FF7BC843358

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeavememset
String ID: %s(%d): Result = 0x%X$CDlpTransportBits::UpdateFileProgress$Z
API String ID: 759993129-414574274
Opcode ID: bcad0c0650b825c94379b3478b3c58055f240c53339c05da55e83b2cd9120ca7
Instruction ID: 7645350de245a825e4626a0f25424881b76d8bd4bfdbbf9999548543385e72e1
Opcode Fuzzy Hash: bcad0c0650b825c94379b3478b3c58055f240c53339c05da55e83b2cd9120ca7
Instruction Fuzzy Hash: 2EF15032704B469AEF189F29D49036CA3A1FB5AB54F848536CB6D477A8DF7CE468C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC800EC0, Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 275memoryfileCOMMON

Download Yara Rule

APIs

WIMCreateFile.WIMGAPI ref: 00007FF7BC800F27
GetLastError.KERNEL32 ref: 00007FF7BC800F39
WIMSetTemporaryPath.WIMGAPI ref: 00007FF7BC800FDD
GetLastError.KERNEL32 ref: 00007FF7BC800FE7
WIMGetImageInformation.WIMGAPI ref: 00007FF7BC80103B
GetLastError.KERNEL32 ref: 00007FF7BC801045
UnattendCtxDeserializeBuffer.UNATTEND ref: 00007FF7BC801096
UnattendCtxOpenNode.UNATTEND ref: 00007FF7BC8010CF
UnattendCtxCleanup.UNATTEND ref: 00007FF7BC801265
GetProcessHeap.KERNEL32 ref: 00007FF7BC80127C
HeapFree.KERNEL32 ref: 00007FF7BC80128A
GetProcessHeap.KERNEL32 ref: 00007FF7BC801299
HeapFree.KERNEL32 ref: 00007FF7BC8012A8
LocalFree.KERNEL32 ref: 00007FF7BC8012BF
WIMCloseHandle.WIMGAPI ref: 00007FF7BC8012D1

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC800FA9, 00007FF7BC801240
CDlpActionRecoverCrypto::ClearKeyFromXml, xrefs: 00007FF7BC800FA2, 00007FF7BC801239
WIM\ESD\KEY, xrefs: 00007FF7BC8010C4

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$ErrorFreeLastUnattend$Process$BufferCleanupCloseCreateDeserializeFileHandleImageInformationLocalNodeOpenPathTemporary
String ID: %s(%d): Result = 0x%X$CDlpActionRecoverCrypto::ClearKeyFromXml$WIM\ESD\KEY
API String ID: 3450152512-84633879
Opcode ID: 7f8cd28600c97d70403af64ca332f5610dbac3bd5649bbd9f53cee53fae391bf
Instruction ID: 7480bdd931a8da9e3097305769caadb2ce330a1fdf8fc64bf7abe37bc8df6f76
Opcode Fuzzy Hash: 7f8cd28600c97d70403af64ca332f5610dbac3bd5649bbd9f53cee53fae391bf
Instruction Fuzzy Hash: 31C1B272A0965286FB21EF689440279A3E4FFA6758F808139DF0DD7698DF3CE4648760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7FCF00, Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 358COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF7BC7FD431
SysFreeString.OLEAUT32 ref: 00007FF7BC7FD447
SysFreeString.OLEAUT32 ref: 00007FF7BC7FD45D
SysFreeString.OLEAUT32 ref: 00007FF7BC7FD473
SysFreeString.OLEAUT32 ref: 00007FF7BC7FD488

Strings

RemoteSourcePath, xrefs: 00007FF7BC7FD21B
WimTargetPath, xrefs: 00007FF7BC7FD1D0
RepairRetryCount, xrefs: 00007FF7BC7FD054
CurrentRangeSaved, xrefs: 00007FF7BC7FD3E8
DeleteSource, xrefs: 00007FF7BC7FD152
CorruptBlocksCount, xrefs: 00007FF7BC7FD0D6
HashType, xrefs: 00007FF7BC7FD016
Flags, xrefs: 00007FF7BC7FD114
FileHash, xrefs: 00007FF7BC7FD2A5
%s(%d): Result = 0x%X, xrefs: 00007FF7BC7FCF7F
CryptoKey, xrefs: 00007FF7BC7FD260
WimSourcePath, xrefs: 00007FF7BC7FCFD7
CurrentRangeWritten, xrefs: 00007FF7BC7FD3AB
WimFileSize, xrefs: 00007FF7BC7FD190
RepairAttemptsCount, xrefs: 00007FF7BC7FD095
CDlpActionRecoverCrypto::DeserializeRoutine, xrefs: 00007FF7BC7FCF78

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString
String ID: %s(%d): Result = 0x%X$CDlpActionRecoverCrypto::DeserializeRoutine$CorruptBlocksCount$CryptoKey$CurrentRangeSaved$CurrentRangeWritten$DeleteSource$FileHash$Flags$HashType$RemoteSourcePath$RepairAttemptsCount$RepairRetryCount$WimFileSize$WimSourcePath$WimTargetPath
API String ID: 3341692771-266856055
Opcode ID: c9b34ba08cd70943e24f40cf3778222f723922b8cf8bfb7c5e1c2df734b864e9
Instruction ID: 5411cd62a6975b1d0c3ae056787cf524650a426426d7ac0abc3a547c7969a14c
Opcode Fuzzy Hash: c9b34ba08cd70943e24f40cf3778222f723922b8cf8bfb7c5e1c2df734b864e9
Instruction Fuzzy Hash: FA025162B187828AFB20DF59D484379A7A4FB6A784F808136DF5D87B98DF7CE0548710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7F3E9C, Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7BC7F3F0C
GetSystemWindowsDirectoryW.KERNEL32 ref: 00007FF7BC7F3F1D
GetLastError.KERNEL32 ref: 00007FF7BC7F3F27
wcscpy_s.MSVCRT ref: 00007FF7BC7F3F7D

Part of subcall function 00007FF7BC7D3B08: GetProcessHeap.KERNEL32(?,?,00000000,00000000), ref: 00007FF7BC7D3C1D
Part of subcall function 00007FF7BC7D3B08: HeapFree.KERNEL32(?,?,00000000,00000000), ref: 00007FF7BC7D3C2B

wcscpy_s.MSVCRT ref: 00007FF7BC7F4029
RtlNtStatusToDosError.NTDLL ref: 00007FF7BC7F405B
SetLastError.KERNEL32 ref: 00007FF7BC7F4063
GetLastError.KERNEL32 ref: 00007FF7BC7F40B8
GetLastError.KERNEL32 ref: 00007FF7BC7F40D1
GetLastError.KERNEL32 ref: 00007FF7BC7F4136
GetLastError.KERNEL32 ref: 00007FF7BC7F414F
GetProcessHeap.KERNEL32 ref: 00007FF7BC7F41B4
HeapFree.KERNEL32 ref: 00007FF7BC7F41C3

Part of subcall function 00007FF7BC7D3D44: GetProcessHeap.KERNEL32 ref: 00007FF7BC7D3E41
Part of subcall function 00007FF7BC7D3D44: HeapFree.KERNEL32 ref: 00007FF7BC7D3E50

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC7F3EA1, 00007FF7BC7F3FBE, 00007FF7BC7F4186
Uefi, xrefs: 00007FF7BC7F4014
LayoutUsb: Failed to run BfsInitializeSystemVolume with path [%s], Firmware type [%s], xrefs: 00007FF7BC7F4125
LayoutUsb: Failed to run BfsServiceBootFiles with source path [%s], Firmware type [%s], xrefs: 00007FF7BC7F40A7
LayoutUsb: Recover usb. Using BfsServiceBootFiles to copy boot files, xrefs: 00007FF7BC7F3EE6
Bios, xrefs: 00007FF7BC7F401D
UnknownType, xrefs: 00007FF7BC7F400B
CDlpActionLayoutUsb::CopyBootFiles, xrefs: 00007FF7BC7F3FB7, 00007FF7BC7F417F
Boot, xrefs: 00007FF7BC7F3F8B

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Error$HeapLast$FreeProcess$wcscpy_s$DirectoryStatusSystemWindowsmemset
String ID: %s(%d): Result = 0x%X$Bios$Boot$CDlpActionLayoutUsb::CopyBootFiles$LayoutUsb: Failed to run BfsInitializeSystemVolume with path [%s], Firmware type [%s]$LayoutUsb: Failed to run BfsServiceBootFiles with source path [%s], Firmware type [%s]$LayoutUsb: Recover usb. Using BfsServiceBootFiles to copy boot files$Uefi$UnknownType
API String ID: 887523922-2971059369
Opcode ID: 5159e8e213736cd76e272aae6351a8d720ca0eaf86a0e33581bc8be23101b9d4
Instruction ID: 2a175a952b3e273a9e640f35adba030aa09dc2e5a265dc10ad93e56095e0152d
Opcode Fuzzy Hash: 5159e8e213736cd76e272aae6351a8d720ca0eaf86a0e33581bc8be23101b9d4
Instruction Fuzzy Hash: 8F91A565A1868387F710BF29D4902B9A3A5FFAA744FD08136DB4E8769CDF3CE5448720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC811E4C, Relevance: 37.1, APIs: 14, Strings: 7, Instructions: 317COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7BC811EBE
memset.MSVCRT ref: 00007FF7BC812034
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC812066
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC812079
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC81208C
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC81209F
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC8120B2
memset.MSVCRT ref: 00007FF7BC812104
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC81227A
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC812290
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC8122A3
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC8122B6
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC8122C9
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7BC8122DC

Strings

ConvertDiskStyle: Failed to convert disk [%d] to %s; hr = 0x%x, xrefs: 00007FF7BC812250
ConvertDiskStyle: Disk [%d] is an %s disk; converting to %s..., xrefs: 00007FF7BC81214D
MBR, xrefs: 00007FF7BC812132
ConvertDiskStyle: Conversion failed since disk [%d] is not empty., xrefs: 00007FF7BC8121DE
GPT, xrefs: 00007FF7BC81213E
ConvertUnallocatedDisk: Successfully added unallocated disk to a new basic pack, xrefs: 00007FF7BC811FDB
ConvertDiskStyle: Successfully converted disk [%d] to %s., xrefs: 00007FF7BC812232

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeTask$memset
String ID: ConvertDiskStyle: Conversion failed since disk [%d] is not empty.$ConvertDiskStyle: Disk [%d] is an %s disk; converting to %s...$ConvertDiskStyle: Failed to convert disk [%d] to %s; hr = 0x%x$ConvertDiskStyle: Successfully converted disk [%d] to %s.$ConvertUnallocatedDisk: Successfully added unallocated disk to a new basic pack$GPT$MBR
API String ID: 725615078-230989658
Opcode ID: 951f0a972897a4c5c0f677dc6241a50de7796d9c389e1f990305be485664cda2
Instruction ID: 8647ed79ed448596b6e59f34b300ae3dac30c9d2812797403761ccc45241f131
Opcode Fuzzy Hash: 951f0a972897a4c5c0f677dc6241a50de7796d9c389e1f990305be485664cda2
Instruction Fuzzy Hash: 56E16036B09B4286EB55EB59E840569A3A0FF9AB85F808135DF4E47B6CCF3CE464C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC819DF8, Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7BC819E37
GetLastError.KERNEL32 ref: 00007FF7BC819E46
GetFileSizeEx.KERNEL32 ref: 00007FF7BC819EA8
GetLastError.KERNEL32 ref: 00007FF7BC819EB2
CreateFileMappingW.KERNEL32 ref: 00007FF7BC819F27
GetLastError.KERNEL32 ref: 00007FF7BC819F35
MapViewOfFile.KERNEL32 ref: 00007FF7BC819F74
GetLastError.KERNEL32 ref: 00007FF7BC819F82
CloseHandle.KERNEL32 ref: 00007FF7BC819FB9
CloseHandle.KERNEL32 ref: 00007FF7BC819FC2
SetLastError.KERNEL32 ref: 00007FF7BC819FCA

Strings

Failed to open file %s for read! Error code = %#x, xrefs: 00007FF7BC819E6E
MapViewOfFile(%s) failed! Error code = %#x, xrefs: 00007FF7BC819FA2
Unable to open file %s for read because the file or path does not exist, xrefs: 00007FF7BC819E8A
CreateFileMapping(%s) failed! Error code = %#x, xrefs: 00007FF7BC819F52
File %s is too large!, xrefs: 00007FF7BC819EF7
Failed to get file size for %s! Error code = %#x, xrefs: 00007FF7BC819ECF

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$File$CloseCreateHandle$MappingSizeView
String ID: CreateFileMapping(%s) failed! Error code = %#x$Failed to get file size for %s! Error code = %#x$Failed to open file %s for read! Error code = %#x$File %s is too large!$MapViewOfFile(%s) failed! Error code = %#x$Unable to open file %s for read because the file or path does not exist
API String ID: 390680941-984806536
Opcode ID: ec30f69fc01b13e89462ebf401ba40c2ad78adb1f555edb9e35891c12b20954d
Instruction ID: 84182232fd799686828e81056f8696e4c20ed0953ff65b0db113ad55fc9bf988
Opcode Fuzzy Hash: ec30f69fc01b13e89462ebf401ba40c2ad78adb1f555edb9e35891c12b20954d
Instruction Fuzzy Hash: 2E518271A0860287F610BB2DE98067CB3D1AF6ABD1F948135DF1E437A9DF7CE4608661

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC80EE20, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 119COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF7BC80EE99
GetLastError.KERNEL32 ref: 00007FF7BC80EEA6
GetLastError.KERNEL32 ref: 00007FF7BC80EFCF

Part of subcall function 00007FF7BC80D0A8: _cwprintf_s_l.LIBCMT ref: 00007FF7BC80D1D0
Part of subcall function 00007FF7BC80D0A8: OutputDebugStringW.KERNEL32 ref: 00007FF7BC80D1DD
Part of subcall function 00007FF7BC80D0A8: GetLastError.KERNEL32 ref: 00007FF7BC80D1E3
Part of subcall function 00007FF7BC80D0A8: CurrentIP.WDSCORE ref: 00007FF7BC80D1EB
Part of subcall function 00007FF7BC80D0A8: WdsSetupLogMessageW.WDSCORE ref: 00007FF7BC80D24A

Strings

Failed to get canonical form for [%s], xrefs: 00007FF7BC80EE7D
Failed to delete [%s], xrefs: 00007FF7BC80EFA3
Failed to delete reparse point [%s], xrefs: 00007FF7BC80EF51
base\reset\util\src\filesystem.cpp, xrefs: 00007FF7BC80EF19, 00007FF7BC80EF65, 00007FF7BC80EFB7
PushButtonReset::File::Delete, xrefs: 00007FF7BC80EF20, 00007FF7BC80EF6C, 00007FF7BC80EFBE
Failed to get file attributes for [%s], xrefs: 00007FF7BC80EEC0
Failed to remove read-only/archive bits from [%s], xrefs: 00007FF7BC80EF05

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AttributesCurrentDebugFileMessageOutputSetupString_cwprintf_s_l
String ID: Failed to delete [%s]$Failed to delete reparse point [%s]$Failed to get canonical form for [%s]$Failed to get file attributes for [%s]$Failed to remove read-only/archive bits from [%s]$PushButtonReset::File::Delete$base\reset\util\src\filesystem.cpp
API String ID: 1398542194-2386051923
Opcode ID: 740eb65b5783a99e25b53933db808dd8dc901ac0cd9e96523a6112a0c5a34cd1
Instruction ID: 77a3f95b5062c5b6f8a09fcb38bebadf4772e69bc3bf801f7cb89fe744c091fa
Opcode Fuzzy Hash: 740eb65b5783a99e25b53933db808dd8dc901ac0cd9e96523a6112a0c5a34cd1
Instruction Fuzzy Hash: 01513031A08B4286F750AB2DE800569B3E5FF96754F948236EB9D833A8DF3CD465C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC849D50, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 201synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BC7D681C: memset.MSVCRT ref: 00007FF7BC7D683F
Part of subcall function 00007FF7BC7D681C: EnterCriticalSection.KERNEL32 ref: 00007FF7BC7D6870

LeaveCriticalSection.KERNEL32 ref: 00007FF7BC849DDA
SetEvent.KERNEL32 ref: 00007FF7BC849EA3
GetLastError.KERNEL32 ref: 00007FF7BC849EAD
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC849F2D
WaitForSingleObject.KERNEL32 ref: 00007FF7BC849F44
CloseHandle.KERNEL32 ref: 00007FF7BC84A01C
CloseHandle.KERNEL32 ref: 00007FF7BC84A02F
CloseHandle.KERNEL32 ref: 00007FF7BC84A042
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC84A05F

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC849FE7
CDlpManager::AsyncSerializeDisable, xrefs: 00007FF7BC849FE0

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CloseHandleLeave$EnterErrorEventLastObjectSingleWaitmemset
String ID: %s(%d): Result = 0x%X$CDlpManager::AsyncSerializeDisable
API String ID: 3475140720-2946689923
Opcode ID: bb284fda6b1db45a034cbb02e6c2b42b16161f215e31fa392f0b8a1e5ca85e3c
Instruction ID: a2c3f2f2663d0893c8c260cef46c69d7acb7080b4a2aa0e16a292e0a92f9e798
Opcode Fuzzy Hash: bb284fda6b1db45a034cbb02e6c2b42b16161f215e31fa392f0b8a1e5ca85e3c
Instruction Fuzzy Hash: 90911C32709B029BEB14AF69D5802A8A3A4FF56B45F844435DB1D5BB98DF3CE465C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC81CED0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,00000001,00000000,00007FF7BC81BDC4), ref: 00007FF7BC81CEF1
HeapAlloc.KERNEL32(?,?,00000000,00000001,00000000,00007FF7BC81BDC4), ref: 00007FF7BC81CF03
GetLastError.KERNEL32(?,?,00000000,00000001,00000000,00007FF7BC81BDC4), ref: 00007FF7BC81CF2F
GetProcessHeap.KERNEL32(?,?,00000000,00000001,00000000,00007FF7BC81BDC4), ref: 00007FF7BC81CFAC
HeapFree.KERNEL32(?,?,00000000,00000001,00000000,00007FF7BC81BDC4), ref: 00007FF7BC81CFBA
LocalFree.KERNEL32(?,?,00000000,00000001,00000000,00007FF7BC81BDC4), ref: 00007FF7BC81CFCA
SetLastError.KERNEL32(?,?,00000000,00000001,00000000,00007FF7BC81BDC4), ref: 00007FF7BC81CFD6

Strings

BfspSetSecurityDescriptor(%s) failed! Last Error = %#x, xrefs: 00007FF7BC81CF98
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464, xrefs: 00007FF7BC81CF40

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$ErrorFreeLastProcess$AllocLocal
String ID: BfspSetSecurityDescriptor(%s) failed! Last Error = %#x$S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
API String ID: 207962182-561465493
Opcode ID: 05105e086968c053ef1f1032c9e08d43a34e23ad8ebae9cea8206a2ed9ddbdf8
Instruction ID: ec2ba9e16bda95513a3a9ee17d50892ac4c6a0e5d6d868c92bad52ff694ea035
Opcode Fuzzy Hash: 05105e086968c053ef1f1032c9e08d43a34e23ad8ebae9cea8206a2ed9ddbdf8
Instruction Fuzzy Hash: 27316121A08B4286F611BF6AA844179E3D1AFEABD1F848035DF8D4775DDFBCE4658220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7E4E54, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 150fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FF7BC7E4F07
GetLastError.KERNEL32 ref: 00007FF7BC7E4F15
memset.MSVCRT ref: 00007FF7BC7E4FA3
SysFreeString.OLEAUT32 ref: 00007FF7BC7E5078

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC7E4EB5
WimLayout: File deleted successfully., xrefs: 00007FF7BC7E5044
CDlpActionWimLayout::DeleteSourceFile, xrefs: 00007FF7BC7E4EAE
WimLayout: Delete failure ignored. hr = [0x%X], xrefs: 00007FF7BC7E5028
WimLayout: Attempting to delete file [%s], xrefs: 00007FF7BC7E4EE3
WimLayout: File does not exist., xrefs: 00007FF7BC7E5056

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteErrorFileFreeLastStringmemset
String ID: %s(%d): Result = 0x%X$CDlpActionWimLayout::DeleteSourceFile$WimLayout: Attempting to delete file [%s]$WimLayout: Delete failure ignored. hr = [0x%X]$WimLayout: File deleted successfully.$WimLayout: File does not exist.
API String ID: 3805876019-3894107351
Opcode ID: 5dca6b26bd56034bb541f8e17ae81f2d57d893ec9588ce4a2a5a613c3ba02cb7
Instruction ID: 3630e8ab94b9b6e0d343d68adbf8e227911fb588f5a46de6dbe35df23d7a4ede
Opcode Fuzzy Hash: 5dca6b26bd56034bb541f8e17ae81f2d57d893ec9588ce4a2a5a613c3ba02cb7
Instruction Fuzzy Hash: A761C522B0965386FB51EBA9C4403B9A364BFA9B44F948135DF0E47A8CDF7CE450C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC81CDB8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,00007FF7BC81ABC8), ref: 00007FF7BC81CDF2
HeapAlloc.KERNEL32 ref: 00007FF7BC81CE01
memset.MSVCRT ref: 00007FF7BC81CE1E
LookupPrivilegeValueW.API-MS-WIN-SECURITY-LSALOOKUP-L2-1-0 ref: 00007FF7BC81CE44
GetProcessHeap.KERNEL32 ref: 00007FF7BC81CE74
HeapFree.KERNEL32 ref: 00007FF7BC81CE82
SetLastError.KERNEL32 ref: 00007FF7BC81CE8A
GetLastError.KERNEL32 ref: 00007FF7BC81CEAF

Part of subcall function 00007FF7BC81CA8C: _vsnwprintf_s.MSVCRT ref: 00007FF7BC81CAFA
Part of subcall function 00007FF7BC81CA8C: fwprintf.MSVCRT ref: 00007FF7BC81CBC0
Part of subcall function 00007FF7BC81CA8C: fflush.MSVCRT ref: 00007FF7BC81CBCD

Strings

Failed to lookup privelege! Error code = %#x, xrefs: 00007FF7BC81CEB5

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$ErrorLastProcess$AllocFreeLookupPrivilegeValue_vsnwprintf_sfflushfwprintfmemset
String ID: Failed to lookup privelege! Error code = %#x
API String ID: 417251917-1857946863
Opcode ID: 723922c8958d900f40d444721669025757c5d64b25eb56a13157aad96e0a9dce
Instruction ID: 055f402a241d2b377662a5e92bb9166d51495c1e980fa67de328cda5e4136f88
Opcode Fuzzy Hash: 723922c8958d900f40d444721669025757c5d64b25eb56a13157aad96e0a9dce
Instruction Fuzzy Hash: B431B472A04B4286EB14EF6AE804069B7A2FB99B80F858036DF4D03358DF7CE465C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC853E20, Relevance: 15.2, APIs: 6, Strings: 4, Instructions: 248COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF7BC853F09
EnterCriticalSection.KERNEL32 ref: 00007FF7BC853F3E

Part of subcall function 00007FF7BC854688: LeaveCriticalSection.KERNEL32 ref: 00007FF7BC8546DC

Part of subcall function 00007FF7BC854B94: GetProcessHeap.KERNEL32 ref: 00007FF7BC854BCB
Part of subcall function 00007FF7BC854B94: HeapFree.KERNEL32 ref: 00007FF7BC854BDA
Part of subcall function 00007FF7BC854B94: GetProcessHeap.KERNEL32 ref: 00007FF7BC854BFC
Part of subcall function 00007FF7BC854B94: HeapFree.KERNEL32 ref: 00007FF7BC854C0B
Part of subcall function 00007FF7BC854B94: LeaveCriticalSection.KERNEL32 ref: 00007FF7BC854C4C

LeaveCriticalSection.KERNEL32 ref: 00007FF7BC854021
EnterCriticalSection.KERNEL32 ref: 00007FF7BC85406B

Part of subcall function 00007FF7BC7D681C: memset.MSVCRT ref: 00007FF7BC7D683F
Part of subcall function 00007FF7BC7D681C: EnterCriticalSection.KERNEL32 ref: 00007FF7BC7D6870

LeaveCriticalSection.KERNEL32 ref: 00007FF7BC8540B0
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC8541E2

Part of subcall function 00007FF7BC7D3D44: GetProcessHeap.KERNEL32 ref: 00007FF7BC7D3E41
Part of subcall function 00007FF7BC7D3D44: HeapFree.KERNEL32 ref: 00007FF7BC7D3E50

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC853EAE, 00007FF7BC8540FA
%s: Leaving Execute Method, xrefs: 00007FF7BC8541B6
CDlpTransportImpl<class CDlpErrorImpl<class CDlpObjectInternalImpl<class CUnknownRefChainImpl<class IDlpTransport> > > >::Execute, xrefs: 00007FF7BC853EA7, 00007FF7BC8540F3
%s: Entering Execute Method, xrefs: 00007FF7BC853E73

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$HeapLeave$EnterFreeProcess$memset
String ID: %s(%d): Result = 0x%X$%s: Entering Execute Method$%s: Leaving Execute Method$CDlpTransportImpl<class CDlpErrorImpl<class CDlpObjectInternalImpl<class CUnknownRefChainImpl<class IDlpTransport> > > >::Execute
API String ID: 2807127008-2579465992
Opcode ID: b10087ca04f04d848cc109e6af932d94a6757edd4022be5ffa414eb3c2fc0d11
Instruction ID: 0b81baae22ada91056bf512252d656a8a9f7917dd2a6738e0de54f82955bfe11
Opcode Fuzzy Hash: b10087ca04f04d848cc109e6af932d94a6757edd4022be5ffa414eb3c2fc0d11
Instruction Fuzzy Hash: 3BB15071B086029BFB14EF69C5503B9A3A1FFA6744F808535DB0D87A89DFBCE5258720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC856E20, Relevance: 15.1, APIs: 10, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000364,00000000,00000494,00007FF7BC8578F0,000000AC,?,00000494,00007FF7BC8553BA), ref: 00007FF7BC856EA8
HeapAlloc.KERNEL32(?,00000494,00007FF7BC8553BA), ref: 00007FF7BC856EB6
memmove.MSVCRT(?,00000494,00007FF7BC8553BA), ref: 00007FF7BC856EDE
DeleteCriticalSection.KERNEL32 ref: 00007FF7BC856F11
GetProcessHeap.KERNEL32 ref: 00007FF7BC856F1C
HeapFree.KERNEL32 ref: 00007FF7BC856F2A
GetProcessHeap.KERNEL32(00000364,00000000,00000494,00007FF7BC8578F0,000000AC,?,00000494,00007FF7BC8553BA), ref: 00007FF7BC856F51
HeapFree.KERNEL32(?,00000494,00007FF7BC8553BA), ref: 00007FF7BC856F5F
GetProcessHeap.KERNEL32(00000364,00000000,00000494,00007FF7BC8578F0,000000AC,?,00000494,00007FF7BC8553BA), ref: 00007FF7BC856F8A
HeapFree.KERNEL32(?,00000494,00007FF7BC8553BA), ref: 00007FF7BC856F98

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Free$AllocCriticalDeleteSectionmemmove
String ID:
API String ID: 1033550581-0
Opcode ID: 8191e2c85505bfeb53c7b14879d13c702ff12c999bca76655da5eff4a71d25dd
Instruction ID: eb98c5587ec2263ae04a4d1cd105262f4b69b7d694a2499e4dcb64dda7cc1c9e
Opcode Fuzzy Hash: 8191e2c85505bfeb53c7b14879d13c702ff12c999bca76655da5eff4a71d25dd
Instruction Fuzzy Hash: 6341F662B1874283EA14AF5AA50023AE353BFA5B91F98C035DF5D07758DFBDF4518310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC825DE0, Relevance: 13.7, APIs: 9, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32 ref: 00007FF7BC825E35
EnterCriticalSection.KERNEL32 ref: 00007FF7BC825E5C
GetProcessHeap.KERNEL32 ref: 00007FF7BC825EA4
HeapFree.KERNEL32 ref: 00007FF7BC825EB2
memmove.MSVCRT ref: 00007FF7BC825EDA
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC825FC2
SetEvent.KERNEL32 ref: 00007FF7BC825FD1
GetLastError.KERNEL32 ref: 00007FF7BC826080
GetLastError.KERNEL32 ref: 00007FF7BC82609A

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorHeapLastSection$EnterEventFreeLeaveMultipleObjectsProcessWaitmemmove
String ID:
API String ID: 3247365984-0
Opcode ID: 5da69d24c9ff385dd9c23cd097d5a8c7b3b335dc7533ea935cf4c7b70d8daa10
Instruction ID: 84769f3c9a037410a91e992f4c8dc0b7dcb973fee8f90ab984c188835429c077
Opcode Fuzzy Hash: 5da69d24c9ff385dd9c23cd097d5a8c7b3b335dc7533ea935cf4c7b70d8daa10
Instruction Fuzzy Hash: B991E672A4864287E665BB2D944827DE391BFAAB50F95C135DF4E4B39CDF3CE8118320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC83DF14, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF7BC83E08B
GetProcessHeap.KERNEL32 ref: 00007FF7BC83E09E
HeapFree.KERNEL32 ref: 00007FF7BC83E0AD

Part of subcall function 00007FF7BC7D3D44: GetProcessHeap.KERNEL32 ref: 00007FF7BC7D3E41
Part of subcall function 00007FF7BC7D3D44: HeapFree.KERNEL32 ref: 00007FF7BC7D3E50

Strings

*** JobTransferred ***. Error: [0x%X], xrefs: 00007FF7BC83E073
%s(%d): Result = 0x%X, xrefs: 00007FF7BC83DF9C, 00007FF7BC83E01D
*** JobTransferred ***. Job State: [%s], xrefs: 00007FF7BC83E0ED
CDlpTransportBits::JobTransferred, xrefs: 00007FF7BC83DF95, 00007FF7BC83E016

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$Event
String ID: %s(%d): Result = 0x%X$*** JobTransferred ***. Error: [0x%X]$*** JobTransferred ***. Job State: [%s]$CDlpTransportBits::JobTransferred
API String ID: 4223858941-969889343
Opcode ID: 3f3b75d10ca10673aefd61962cd0a720d37f91089e036a65715cd28e8af4251e
Instruction ID: 670c197761639b1a680d3ad62a2bbed48d5bf46593a76918a87fe882fcb0dc16
Opcode Fuzzy Hash: 3f3b75d10ca10673aefd61962cd0a720d37f91089e036a65715cd28e8af4251e
Instruction Fuzzy Hash: 47517571A09B4682FE05AF19D950179A361FFAAB80F848136EF1D477ACDF3CE4508660

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7E3D98, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 00007FF7BC7E3DD6
wcsstr.MSVCRT ref: 00007FF7BC7E3DEB
RtlDosPathNameToNtPathName_U.NTDLL ref: 00007FF7BC7E3E02
GetLastError.KERNEL32 ref: 00007FF7BC7E3E0C
HeapAlloc.KERNEL32 ref: 00007FF7BC7E3E54
RtlInitUnicodeString.NTDLL ref: 00007FF7BC7E3E79

Strings

\??, xrefs: 00007FF7BC7E3DCF

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Pathwcsstr$AllocErrorHeapInitLastNameName_StringUnicode
String ID: \??
API String ID: 3392176281-1952385479
Opcode ID: 9c146588ac98e7e3351b5012610d52ed661f8c20cd44036282de7c5a6eaa4ddd
Instruction ID: 183cdce574c62480235ca48932db7a287532c0cfda3050467053521321903c65
Opcode Fuzzy Hash: 9c146588ac98e7e3351b5012610d52ed661f8c20cd44036282de7c5a6eaa4ddd
Instruction Fuzzy Hash: 9B219561B1870342FB44BB299944539A3AAFF6AFD0B80D135CB5E47798DF7CE4568310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7E0D18, Relevance: 11.3, APIs: 9, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7BC7E0D63
HeapAlloc.KERNEL32 ref: 00007FF7BC7E0D71
memmove.MSVCRT ref: 00007FF7BC7E0D8F

Part of subcall function 00007FF7BC80908C: GetProcessHeap.KERNEL32(?,?,?,00007FF7BC7E0DA3), ref: 00007FF7BC80913B
Part of subcall function 00007FF7BC80908C: HeapFree.KERNEL32(?,?,?,00007FF7BC7E0DA3), ref: 00007FF7BC80914A

GetProcessHeap.KERNEL32 ref: 00007FF7BC7E0DC4
HeapFree.KERNEL32 ref: 00007FF7BC7E0DD3
GetProcessHeap.KERNEL32 ref: 00007FF7BC7E0E03
HeapFree.KERNEL32 ref: 00007FF7BC7E0E11
GetProcessHeap.KERNEL32 ref: 00007FF7BC7E0E1C
HeapFree.KERNEL32 ref: 00007FF7BC7E0E2B

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Free$Allocmemmove
String ID:
API String ID: 3442027419-0
Opcode ID: e91bbeddd85ea0c8c783a4e5090804aac751246a6f7388a06bb21bd378896aba
Instruction ID: 49289e655174a4574ad3826ad9b42214768ffe85b403e933791cd957c89d1e98
Opcode Fuzzy Hash: e91bbeddd85ea0c8c783a4e5090804aac751246a6f7388a06bb21bd378896aba
Instruction Fuzzy Hash: F931B362B08B4387EA14FF6AA50406DE3A6EFAAF50B89C036DF0D47718DE3CE4558710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC82BD80, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BC7D681C: memset.MSVCRT ref: 00007FF7BC7D683F
Part of subcall function 00007FF7BC7D681C: EnterCriticalSection.KERNEL32 ref: 00007FF7BC7D6870

SysFreeString.OLEAUT32 ref: 00007FF7BC82BF9B
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7BC82BFF9
SysFreeString.OLEAUT32 ref: 00007FF7BC82C0A2
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC82C0C6

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC82BE2C
CDlpTask::GetFileByName, xrefs: 00007FF7BC82BE25

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: String$CriticalFreeSection$CompareEnterLeavememset
String ID: %s(%d): Result = 0x%X$CDlpTask::GetFileByName
API String ID: 3063920316-907470498
Opcode ID: d0c94ca38deb6c778216f0598911d5cfdeb9474e5385e0a51c649a78253904ae
Instruction ID: e950adc792fac412c457a63b8e8c85d59a3e646ac03d7f06c4a4dbf5b2fe9f1c
Opcode Fuzzy Hash: d0c94ca38deb6c778216f0598911d5cfdeb9474e5385e0a51c649a78253904ae
Instruction Fuzzy Hash: F0A17126B05B4686EB18AF29D884279F3A1FB59B54F448136DF5E473A8CF3CE465C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7F2DFC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,00007FF7BC7F60FE), ref: 00007FF7BC7F2EFE
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,00007FF7BC7F60FE), ref: 00007FF7BC7F2F31
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,00007FF7BC7F60FE), ref: 00007FF7BC7F2F7A
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,00007FF7BC7F60FE), ref: 00007FF7BC7F2FAA

Strings

CDlpActionLayoutUsb::FindOemFilePath, xrefs: 00007FF7BC7F2E4F
%s(%d): Result = 0x%X, xrefs: 00007FF7BC7F2E5B

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: CompareString
String ID: %s(%d): Result = 0x%X$CDlpActionLayoutUsb::FindOemFilePath
API String ID: 1825529933-1566397815
Opcode ID: 7b43751532d943c9bd020fe7937e5a01683c5c5421e869fce1f3fe1547675a89
Instruction ID: d31dde9810b0f2b08012cac21e150b5faee4e9a24149e41dcab214dfaf3112e9
Opcode Fuzzy Hash: 7b43751532d943c9bd020fe7937e5a01683c5c5421e869fce1f3fe1547675a89
Instruction Fuzzy Hash: 6F512472A08A8282E724AF1CE48013AB795FB99794F904635EF5E437A8CF3CE511C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC850EC0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BC7D681C: memset.MSVCRT ref: 00007FF7BC7D683F
Part of subcall function 00007FF7BC7D681C: EnterCriticalSection.KERNEL32 ref: 00007FF7BC7D6870

SysFreeString.OLEAUT32 ref: 00007FF7BC850F1D
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7BC850F7E
SysFreeString.OLEAUT32 ref: 00007FF7BC85101D
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC851042

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC850FE3
CDlpManager::GetTaskIndexByName, xrefs: 00007FF7BC850FDC

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: String$CriticalFreeSection$CompareEnterLeavememset
String ID: %s(%d): Result = 0x%X$CDlpManager::GetTaskIndexByName
API String ID: 3063920316-3138808665
Opcode ID: 5752059447769ad7c36ed034b51fd1a00ca05c54f979f41299b1f9fc78785bb7
Instruction ID: bcd21452ef2a4dc04213e241e674c9bace060e8eec765c0b2001a7a95db1094b
Opcode Fuzzy Hash: 5752059447769ad7c36ed034b51fd1a00ca05c54f979f41299b1f9fc78785bb7
Instruction Fuzzy Hash: CA51C032A05B4286EB11AF19D99027CA3A1FB5AB94F848535DF1E47398DF7CE451C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7DEEA8, Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF7BC7DEAB0,?,?,?,00000001,?,00000000,00000000,?,?,00007FF7BC7E058C), ref: 00007FF7BC7DEED5
GetProcessHeap.KERNEL32(?,?,00000000,00007FF7BC7DEAB0,?,?,?,00000001,?,00000000,00000000,?,?,00007FF7BC7E058C), ref: 00007FF7BC7DEEE6
HeapAlloc.KERNEL32(?,?,00000000,00007FF7BC7DEAB0,?,?,?,00000001,?,00000000,00000000,?,?,00007FF7BC7E058C), ref: 00007FF7BC7DEEF5
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF7BC7DEAB0,?,?,?,00000001,?,00000000,00000000,?,?,00007FF7BC7E058C), ref: 00007FF7BC7DEF0E
GetLastError.KERNEL32(?,?,00000000,00007FF7BC7DEAB0,?,?,?,00000001,?,00000000,00000000,?,?,00007FF7BC7E058C), ref: 00007FF7BC7DEF18
SetLastError.KERNEL32(?,?,00000000,00007FF7BC7DEAB0,?,?,?,00000001,?,00000000,00000000,?,?,00007FF7BC7E058C), ref: 00007FF7BC7DEF22
SetLastError.KERNEL32(?,?,00000000,00007FF7BC7DEAB0,?,?,?,00000001,?,00000000,00000000,?,?,00007FF7BC7E058C), ref: 00007FF7BC7DEF32

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FullHeapNamePath$AllocProcess
String ID:
API String ID: 2171788232-0
Opcode ID: 119d520cf3729fb443e7c98d8a1b32e27f67afad827222cfdd9b4bc831c8a504
Instruction ID: 149663dc44ca76613220b8581fccbe6b8cfb1548eea33c68a3cacd5d4627c341
Opcode Fuzzy Hash: 119d520cf3729fb443e7c98d8a1b32e27f67afad827222cfdd9b4bc831c8a504
Instruction Fuzzy Hash: 9911C421B0974242FB916B6AB800679A392AFAAF80F888435DF0D43B4CDF7CE4518221

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC848EA0, Relevance: 9.0, APIs: 6, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FF7BC848EC9
GetProcessHeap.KERNEL32 ref: 00007FF7BC848EED
HeapFree.KERNEL32 ref: 00007FF7BC848EFB
DeleteCriticalSection.KERNEL32 ref: 00007FF7BC848F1A
GetProcessHeap.KERNEL32 ref: 00007FF7BC848F2A
HeapFree.KERNEL32 ref: 00007FF7BC848F38

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CriticalDeleteFreeProcessSection
String ID:
API String ID: 667334172-0
Opcode ID: f92ec054e8db8f9be6219174f5c7eaf871269ca814a26d80c8dd3cfc3439e2a6
Instruction ID: c95174799d7e98967c8aff859c67996c6360c7535ab5ecb04e94d869475e5cb9
Opcode Fuzzy Hash: f92ec054e8db8f9be6219174f5c7eaf871269ca814a26d80c8dd3cfc3439e2a6
Instruction Fuzzy Hash: 79116021908B4186E704EB56E604369A3A2FB95B95F848031CF4D0775CDF7DE4A5C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC854F08, Relevance: 8.9, APIs: 7, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BC7D681C: memset.MSVCRT ref: 00007FF7BC7D683F
Part of subcall function 00007FF7BC7D681C: EnterCriticalSection.KERNEL32 ref: 00007FF7BC7D6870

GetProcessHeap.KERNEL32(?,?,00000158,00000000,00000000,?,?,00007FF7BC841DE6), ref: 00007FF7BC854F45
HeapFree.KERNEL32(?,?,00000158,00000000,00000000,?,?,00007FF7BC841DE6), ref: 00007FF7BC854F54

Part of subcall function 00007FF7BC7D5148: GetProcessHeap.KERNEL32(?,%04d-%02d-%02d %02d:%02d:%02d,00000000,00007FF7BC7D5484), ref: 00007FF7BC7D5276
Part of subcall function 00007FF7BC7D5148: HeapFree.KERNEL32 ref: 00007FF7BC7D5284

GetProcessHeap.KERNEL32(?,?,00000158,00000000,00000000,?,?,00007FF7BC841DE6), ref: 00007FF7BC854FCB
HeapFree.KERNEL32(?,?,00000158,00000000,00000000,?,?,00007FF7BC841DE6), ref: 00007FF7BC854FDA
GetProcessHeap.KERNEL32(?,?,00000158,00000000,00000000,?,?,00007FF7BC841DE6), ref: 00007FF7BC855004
HeapFree.KERNEL32(?,?,00000158,00000000,00000000,?,?,00007FF7BC841DE6), ref: 00007FF7BC855013
LeaveCriticalSection.KERNEL32(?,?,00000158,00000000,00000000,?,?,00007FF7BC841DE6), ref: 00007FF7BC85503F

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$CriticalSection$EnterLeavememset
String ID:
API String ID: 3853623943-0
Opcode ID: 7d2c50e46a89734aa55fd82208f48694e052e5651217145d2e9f659cbe6c4f25
Instruction ID: 7948342a66046046ffde1bc3baf0072fc914d04ca7e2de2715d69dbbc49ac1b6
Opcode Fuzzy Hash: 7d2c50e46a89734aa55fd82208f48694e052e5651217145d2e9f659cbe6c4f25
Instruction Fuzzy Hash: 8741C4B2B04A1283EB05BF7D85111BDA3A2AF99784F858435EF0E4724DDF79E45483A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7DCE40, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF7BC7DCF16
GetProcessHeap.KERNEL32 ref: 00007FF7BC7DCF7A
HeapFree.KERNEL32 ref: 00007FF7BC7DCF89

Part of subcall function 00007FF7BC7D3D44: GetProcessHeap.KERNEL32 ref: 00007FF7BC7D3E41
Part of subcall function 00007FF7BC7D3D44: HeapFree.KERNEL32 ref: 00007FF7BC7D3E50

Strings

GetESDImageLocation, xrefs: 00007FF7BC7DCE8A, 00007FF7BC7DCEDF
%s(%d): Result = 0x%X, xrefs: 00007FF7BC7DCE91, 00007FF7BC7DCEE6

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$AttributesFile
String ID: %s(%d): Result = 0x%X$GetESDImageLocation
API String ID: 1958223705-3785420827
Opcode ID: 3a2cf8f6d554e885d67cc0a2eb1e5e093b6dc7cb6cd60ddafcdf3ac9b9887124
Instruction ID: 114849e2c5efa455558e36b9bb9c355136a565e20a692141a331b4f6c38f4c9e
Opcode Fuzzy Hash: 3a2cf8f6d554e885d67cc0a2eb1e5e093b6dc7cb6cd60ddafcdf3ac9b9887124
Instruction Fuzzy Hash: 4041E8B2A0870386FB10BFA994041B9E351AFAAB50F948135EB5D873DDCF7CE4008721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC848DAC, Relevance: 7.6, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7BC848DD3
memset.MSVCRT ref: 00007FF7BC848DEF
memset.MSVCRT ref: 00007FF7BC848DFE
memset.MSVCRT ref: 00007FF7BC848E0D

Part of subcall function 00007FF7BC7D6680: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7BC7D6696
Part of subcall function 00007FF7BC7D6680: GetLastError.KERNEL32 ref: 00007FF7BC7D66A0

Part of subcall function 00007FF7BC7D66E4: LeaveCriticalSection.KERNEL32 ref: 00007FF7BC7D6744

memset.MSVCRT ref: 00007FF7BC848E6B
memset.MSVCRT ref: 00007FF7BC848E7A

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$CriticalSection$CountErrorInitializeLastLeaveSpin
String ID:
API String ID: 2790007442-0
Opcode ID: 72176472fd0e3a811095f4e87dfeac0315a51ae5c3ab06265f1ee8bc83de751a
Instruction ID: 9bf17f0ec8081164f1b40ee53cee998cbe61081b729cb596e0c3845b5eb0b094
Opcode Fuzzy Hash: 72176472fd0e3a811095f4e87dfeac0315a51ae5c3ab06265f1ee8bc83de751a
Instruction Fuzzy Hash: 14219232B1474296EB58EB26E4401E9B361FB95740F88C432D74E03A69DF78E5A6C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC844EAC, Relevance: 7.6, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7BC844ED3
memset.MSVCRT ref: 00007FF7BC844EEF
memset.MSVCRT ref: 00007FF7BC844EFE
memset.MSVCRT ref: 00007FF7BC844F0D

Part of subcall function 00007FF7BC7D6680: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7BC7D6696
Part of subcall function 00007FF7BC7D6680: GetLastError.KERNEL32 ref: 00007FF7BC7D66A0

Part of subcall function 00007FF7BC7D66E4: LeaveCriticalSection.KERNEL32 ref: 00007FF7BC7D6744

memset.MSVCRT ref: 00007FF7BC844F6B
memset.MSVCRT ref: 00007FF7BC844F7A

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$CriticalSection$CountErrorInitializeLastLeaveSpin
String ID:
API String ID: 2790007442-0
Opcode ID: 4fc3b0c678d1c22fd9ddb437257b831941f0502a29597014d6433610403707ee
Instruction ID: eb70bb057728109379ab4d5b63646babdc2e74750880b3edc54d66095218e961
Opcode Fuzzy Hash: 4fc3b0c678d1c22fd9ddb437257b831941f0502a29597014d6433610403707ee
Instruction Fuzzy Hash: EA219232B1474296EB58EB26E4401E9B361FB95B40F88C432D74E03A69DF78E5A6C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC824EC0, Relevance: 7.6, APIs: 5, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7BC824EE7
HeapFree.KERNEL32 ref: 00007FF7BC824EF7
DeleteCriticalSection.KERNEL32 ref: 00007FF7BC824F3B
GetProcessHeap.KERNEL32 ref: 00007FF7BC824F4C
HeapFree.KERNEL32 ref: 00007FF7BC824F5B

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$CriticalDeleteSection
String ID:
API String ID: 4183614560-0
Opcode ID: 3902cfb5bb4fedeaebf57258c3bb2e97ab32db0ce92f2865d1de6823b4fccc36
Instruction ID: f58d411549b750ba19f4f71919874cd1fa77ec5f3a3cef8dff4a376e6cadee0b
Opcode Fuzzy Hash: 3902cfb5bb4fedeaebf57258c3bb2e97ab32db0ce92f2865d1de6823b4fccc36
Instruction Fuzzy Hash: 6C116632604B4183E714AB29E644369A361FFDBBA6F948235CB1D076E8CF7DE465C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC84BE20, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BC7D681C: memset.MSVCRT ref: 00007FF7BC7D683F
Part of subcall function 00007FF7BC7D681C: EnterCriticalSection.KERNEL32 ref: 00007FF7BC7D6870

CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7BC84BF5B
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC84BF96

Strings

%s(%d): Result = 0x%X, xrefs: 00007FF7BC84BEB4
CDlpManager::GetDwordProperty, xrefs: 00007FF7BC84BEAD

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CompareEnterLeaveStringmemset
String ID: %s(%d): Result = 0x%X$CDlpManager::GetDwordProperty
API String ID: 3913716123-2813665115
Opcode ID: 11d1d7217ebe3c83d1ad8254299b7a70096376ca37644db8e23078172f5bee60
Instruction ID: bdfabaa3a518e047a0a41ee9c8929219c94b0ec2e1778251b7ac1c06ef61425e
Opcode Fuzzy Hash: 11d1d7217ebe3c83d1ad8254299b7a70096376ca37644db8e23078172f5bee60
Instruction Fuzzy Hash: 9A51B132604B468AEA14AF09D440579B7A0FB99B90F844136DF6D077A8CF3CE865C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC80ED4C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF7BC80EDD5

Part of subcall function 00007FF7BC80D0A8: _cwprintf_s_l.LIBCMT ref: 00007FF7BC80D1D0
Part of subcall function 00007FF7BC80D0A8: OutputDebugStringW.KERNEL32 ref: 00007FF7BC80D1DD
Part of subcall function 00007FF7BC80D0A8: GetLastError.KERNEL32 ref: 00007FF7BC80D1E3
Part of subcall function 00007FF7BC80D0A8: CurrentIP.WDSCORE ref: 00007FF7BC80D1EB
Part of subcall function 00007FF7BC80D0A8: WdsSetupLogMessageW.WDSCORE ref: 00007FF7BC80D24A

Strings

Failed to get canonical form for [%s], xrefs: 00007FF7BC80EDA2
PushButtonReset::File::Exists, xrefs: 00007FF7BC80EDBD
base\reset\util\src\filesystem.cpp, xrefs: 00007FF7BC80EDB6

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCurrentDebugErrorFileLastMessageOutputSetupString_cwprintf_s_l
String ID: Failed to get canonical form for [%s]$PushButtonReset::File::Exists$base\reset\util\src\filesystem.cpp
API String ID: 384899146-1327676957
Opcode ID: dbad671f38cea7ef9fde2ed6592435db94b4b7e8e7c863b780ed1d628a0842e4
Instruction ID: e3aa8c886552bd109bdf93025d6fdabd4f5aedbd0a94057f47005125ae3fd9c1
Opcode Fuzzy Hash: dbad671f38cea7ef9fde2ed6592435db94b4b7e8e7c863b780ed1d628a0842e4
Instruction Fuzzy Hash: E3216835A08B4681FA10AB2DE845169B361FB967A4F908331DBAD837E8DF3CD061C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC809EFC, Relevance: 6.3, APIs: 5, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BC7D681C: memset.MSVCRT ref: 00007FF7BC7D683F
Part of subcall function 00007FF7BC7D681C: EnterCriticalSection.KERNEL32 ref: 00007FF7BC7D6870

GetProcessHeap.KERNEL32 ref: 00007FF7BC809F30
HeapFree.KERNEL32 ref: 00007FF7BC809F3F
GetProcessHeap.KERNEL32 ref: 00007FF7BC809F61
HeapFree.KERNEL32 ref: 00007FF7BC809F70
LeaveCriticalSection.KERNEL32 ref: 00007FF7BC809FB1

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CriticalFreeProcessSection$EnterLeavememset
String ID:
API String ID: 2743843801-0
Opcode ID: 1c458c98bda74222ca75b3a253d437247e0d8b6a8cfaa7b4a2992cd7c539c4ec
Instruction ID: f95c88e1f0a813c41dc2f9c3dfdfd35b516bf33798977d8a578a6f642ea5cee4
Opcode Fuzzy Hash: 1c458c98bda74222ca75b3a253d437247e0d8b6a8cfaa7b4a2992cd7c539c4ec
Instruction Fuzzy Hash: 772181B2A08A4283FB44AB69E5443ADE3A1FFAD744F84C135D74D46159DF7CE0688720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC807D70, Relevance: 6.1, APIs: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7BC807DBC
GetFileSizeEx.KERNEL32 ref: 00007FF7BC807DFF
GetLastError.KERNEL32 ref: 00007FF7BC807E09
CloseHandle.KERNEL32 ref: 00007FF7BC807E43

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseCreateErrorHandleLastSize
String ID:
API String ID: 281206921-0
Opcode ID: 7be288c55b4b309828d425f2ef4b5ae77726149c5c73c429a3fe48527eb5b358
Instruction ID: 6cf318b76a568a74bba78b338d6fb743eb0c86548c750be14fed00c85be003b9
Opcode Fuzzy Hash: 7be288c55b4b309828d425f2ef4b5ae77726149c5c73c429a3fe48527eb5b358
Instruction Fuzzy Hash: A321A721B0964242FA50AB19A91027993D19FA6BB5F94C335DF3E477DCEF3CD8158720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC7DDE10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

memcpy_s.MSVCRT ref: 00007FF7BC7DDE59
sprintf_s.MSVCRT ref: 00007FF7BC7DDEAF

Strings

%u!, xrefs: 00007FF7BC7DDE86

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy_ssprintf_s
String ID: %u!
API String ID: 458736077-3756441844
Opcode ID: 7b9c6d7cc664efb43e6e4dc964cf3df1f5fa87dc4c6f7260a6b37fbb299cc66a
Instruction ID: 4cf5fd5c673caad44390c095f9bea48ee922e7b283dd26133110165ebf6ed1cf
Opcode Fuzzy Hash: 7b9c6d7cc664efb43e6e4dc964cf3df1f5fa87dc4c6f7260a6b37fbb299cc66a
Instruction Fuzzy Hash: 5011D361A0C6E285E7115B6965003B9FB94AB3AB80F488171DFC84774DDE3CD0518770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC816DE8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7BC816E35

Strings

CacheDisable, xrefs: 00007FF7BC816E14
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FveDetect, xrefs: 00007FF7BC816E2A

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID: CacheDisable$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FveDetect
API String ID: 3702945584-1575750955
Opcode ID: 203c833cf73ab2fe493f1dfb53b9d77785fb8beda0876875d0e742c9ac667178
Instruction ID: 4ad901bb2aab1b8f6da509f6c6c8ff7eb55cde88dc7559cc7d58cab94e92e84a
Opcode Fuzzy Hash: 203c833cf73ab2fe493f1dfb53b9d77785fb8beda0876875d0e742c9ac667178
Instruction Fuzzy Hash: 51019271A08B42C6E710AF08E984165F3A0FB2A364FD04335D75D42798DB7CA9A0CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7BC803F14, Relevance: 5.1, APIs: 4, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7BC803F59
HeapAlloc.KERNEL32 ref: 00007FF7BC803F6C
memset.MSVCRT ref: 00007FF7BC803F87
memset.MSVCRT ref: 00007FF7BC803FA5

Memory Dump Source

Source File: 00000018.00000002.418103000.00007FF7BC7D1000.00000020.00020000.sdmp, Offset: 00007FF7BC7D0000, based on PE: true

Associated: 00000018.00000002.418084483.00007FF7BC7D0000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.418801886.00007FF7BC85C000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419263605.00007FF7BC88E000.00000004.00020000.sdmp Download File
Associated: 00000018.00000002.419295966.00007FF7BC891000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.419403325.00007FF7BC8A5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapmemset$AllocProcess
String ID:
API String ID: 1204105928-0
Opcode ID: 15c7e03d553f10ac360793e9ef7b6b11c588acacc8e6def9ebc46bc6bf885f0b
Instruction ID: e41d33e51f7867469e923cc97ad114271b4541a9f14e215306d79a642533f237
Opcode Fuzzy Hash: 15c7e03d553f10ac360793e9ef7b6b11c588acacc8e6def9ebc46bc6bf885f0b
Instruction Fuzzy Hash: 9E31B821B18B4282FB54AF2DA44017DA3A2AFEAB90F99C134DB5D477ACDF3CE4518350

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report A2qAaSVuU2

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre