Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL_AWB 65335643399___pdf.exe

Overview

General Information

Sample Name:DHL_AWB 65335643399___pdf.exe
Analysis ID:516538
MD5:52ef260ef62aae29914f40cb8eaed7ac
SHA1:cba71c49ae1c145c6e9210685be42f4aa24b0e18
SHA256:752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
Tags:exehawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Detected HawkEye Rat
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL_AWB 65335643399___pdf.exe (PID: 6536 cmdline: "C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe" MD5: 52EF260EF62AAE29914F40CB8EAED7AC)
    • schtasks.exe (PID: 6980 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL_AWB 65335643399___pdf.exe (PID: 6996 cmdline: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe MD5: 52EF260EF62AAE29914F40CB8EAED7AC)
      • vbc.exe (PID: 7116 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6436 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6452 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6740 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6756 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x87a2e:$s1: HawkEye Keylogger
    • 0x87a97:$s1: HawkEye Keylogger
    • 0x80e71:$s2: _ScreenshotLogger
    • 0x80e3e:$s3: _PasswordStealer
    00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x147b0:$a1: logins.json
      • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x14f34:$s4: \mozsqlite3.dll
      • 0x137a4:$s5: SMTP Password
      0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 65 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x87c2e:$s1: HawkEye Keylogger
        • 0x87c97:$s1: HawkEye Keylogger
        • 0x81071:$s2: _ScreenshotLogger
        • 0x8103e:$s3: _PasswordStealer
        7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
        • 0x87601:$name: ConfuserEx
        • 0x8630e:$compile: AssemblyTitle
        7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackHawkEyev9HawkEye v9 Payloadditekshen
          • 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
          • 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
          • 0x8103e:$str1: _PasswordStealer
          • 0x8104f:$str2: _KeyStrokeLogger
          • 0x81071:$str3: _ScreenshotLogger
          • 0x81060:$str4: _ClipboardLogger
          • 0x81083:$str5: _WebCamLogger
          • 0x81198:$str6: _AntiVirusKiller
          • 0x81186:$str7: _ProcessElevation
          • 0x8114d:$str8: _DisableCommandPrompt
          • 0x81253:$str9: _WebsiteBlocker
          • 0x81263:$str9: _WebsiteBlocker
          • 0x81139:$str10: _DisableTaskManager
          • 0x811b4:$str11: _AntiDebugger
          • 0x8123e:$str12: _WebsiteVisitorSites
          • 0x81163:$str13: _DisableRegEdit
          • 0x811c2:$str14: _ExecutionDelay
          • 0x810e7:$str15: _InstallStartupPersistance
          27.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          Click to see the 143 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe, ParentProcessId: 6536, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp, ProcessId: 6980

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: DHL_AWB 65335643399___pdf.exeVirustotal: Detection: 26%Perma Link
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,8_2_0040938F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,8_2_00408CAC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,12_2_0040938F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,12_2_00408CAC
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 4x nop then jmp 07FABE90h0_2_07FABDB5
          Source: vbc.exe, 00000008.00000002.409730528.00000000022B0000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.425367759.0000000002240000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000008.00000002.409730528.00000000022B0000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.425367759.0000000002240000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: vbc.exe, 00000011.00000002.458547600.0000000002100000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginZU equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000011.00000002.458547600.0000000002100000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginZU equals www.yahoo.com (Yahoo)
          Source: vbc.exe, 0000000D.00000002.439941703.0000000000A40000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginn equals www.facebook.com (Facebook)
          Source: vbc.exe, 0000000D.00000002.439941703.0000000000A40000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginn equals www.yahoo.com (Yahoo)
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.336476043.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://en.w)
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.336076136.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.336007214.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com/
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://google.com/chrome
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0:
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0B
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0E
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0F
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0K
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0M
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0R
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.pki.goog/gsr202
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.349234388.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341657296.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341284538.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.340178685.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comR
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comc
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comces
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcy
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339422429.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339531363.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint8
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339531363.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uN
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339720163.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343215254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/R
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344674691.0000000005D7E000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344539855.0000000005D7E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344003681.0000000005D7E000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344241564.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlftwr
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343041958.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/n
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343959639.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343510616.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344688385.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343510616.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersA
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.345148561.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.349140893.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343118651.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344688385.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersm
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343215254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343118651.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersw
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384884031.0000000001527000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com=
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384884031.0000000001527000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoaj%(-
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338190350.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338273494.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338395162.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/L
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnR
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnark&
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338273494.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnomp
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.347670969.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.346985285.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmg
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338067194.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342647297.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.346508093.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/
          Source: vbc.exe, 00000008.00000003.403942068.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455444203.00000000020E4000.00000004.00000001.sdmp, bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
          Source: vbc.exe, 00000008.00000002.406829834.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.424903467.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.439426621.000000000019C000.00000004.00000001.sdmp, vbc.exe, 00000011.00000002.457922865.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
          Source: vbc.exe, 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.334804967.0000000005D42000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.334804967.0000000005D42000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341087174.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comR
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337803826.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr=
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-ea
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krgra
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlu
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338672489.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.6
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.340105341.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comE
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338749105.000000000152C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comXh
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338638321.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn-u4
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342932704.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.345202768.0000000005D68000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342932704.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deC
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342826199.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFos
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339058782.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-f
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
          Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, bhv7E75.tmp.13.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
          Source: vbc.exe, 00000008.00000003.403565944.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454535819.00000000020ED000.00000004.00000001.sdmp, bhv7E75.tmp.13.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
          Source: vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: vbc.exe, 00000008.00000003.403565944.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454535819.00000000020ED000.00000004.00000001.sdmp, bhv7E75.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://pki.goog/repository/0
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.digicert.com/CPS0
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/
          Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
          Source: vbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403993310.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403428748.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403352721.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403250563.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422786505.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422243341.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422112434.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422184852.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436819908.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436279584.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436354749.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436415474.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
          Source: vbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.404030985.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403320580.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422167377.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436340701.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,8_2_0040F078

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 27.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 27.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 27.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 27.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 27.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 27.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_0150EBD80_2_0150EBD8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_0150EBCB0_2_0150EBCB
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_0150BF7C0_2_0150BF7C
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA63A00_2_07FA63A0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA63910_2_07FA6391
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA03520_2_07FA0352
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA00400_2_07FA0040
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA00060_2_07FA0006
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029213907_2_02921390
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029250B07_2_029250B0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029210E87_2_029210E8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029270037_2_02927003
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029220687_2_02922068
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029204D87_2_029204D8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029238E67_2_029238E6
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029299187_2_02929918
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02922ECD7_2_02922ECD
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02929F787_2_02929F78
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02920C487_2_02920C48
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029272087_2_02927208
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029232507_2_02923250
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029213817_2_02921381
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029220597_2_02922059
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029241787_2_02924178
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029241687_2_02924168
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029236D87_2_029236D8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029236E87_2_029236E8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029287B07_2_029287B0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029217D47_2_029217D4
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_0292174D7_2_0292174D
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029205A67_2_029205A6
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029205ED7_2_029205ED
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029245197_2_02924519
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_0292053B7_2_0292053B
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029245287_2_02924528
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029205627_2_02920562
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029235677_2_02923567
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029235687_2_02923568
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923AAA7_2_02923AAA
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923ADD7_2_02923ADD
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923A027_2_02923A02
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923A777_2_02923A77
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921BB97_2_02921BB9
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02920BA87_2_02920BA8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923BCE7_2_02923BCE
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923BF17_2_02923BF1
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923B1E7_2_02923B1E
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923B607_2_02923B60
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029258807_2_02925880
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029248D07_2_029248D0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029218FB7_2_029218FB
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029248E07_2_029248E0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029278507_2_02927850
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029258707_2_02925870
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029278607_2_02927860
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029239817_2_02923981
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029239D77_2_029239D7
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029219F67_2_029219F6
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029229F87_2_029229F8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029229E97_2_029229E9
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_0292990A7_2_0292990A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921E957_2_02921E95
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923E1A7_2_02923E1A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02928E207_2_02928E20
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923E757_2_02923E75
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921C837_2_02921C83
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921CBA7_2_02921CBA
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923C1D7_2_02923C1D
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923C737_2_02923C73
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923DA07_2_02923DA0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923DDD7_2_02923DDD
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923D407_2_02923D40
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921D6F7_2_02921D6F
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E44307_2_058E4430
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E07787_2_058E0778
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E46807_2_058E4680
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E0EA87_2_058E0EA8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E6EE87_2_058E6EE8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E14DD7_2_058E14DD
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E14157_2_058E1415
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E12957_2_058E1295
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058ED9207_2_058ED920
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E46717_2_058E4671
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E6EC17_2_058E6EC1
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E49287_2_058E4928
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E170B7_2_058E170B
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E16677_2_058E1667
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E71077_2_058E7107
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E11347_2_058E1134
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058EF16C7_2_058EF16C
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E11747_2_058E1174
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E70317_2_058E7031
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E12D57_2_058E12D5
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E125A7_2_058E125A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E3DA07_2_058E3DA0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E3DF07_2_058E3DF0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E3AAC7_2_058E3AAC
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E3AB07_2_058E3AB0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F43107_2_058F4310
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F62B87_2_058F62B8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F4C007_2_058F4C00
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058FFBC07_2_058FFBC0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F90807_2_058F9080
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F90907_2_058F9090
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058FC2B87_2_058FC2B8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058FC2C87_2_058FC2C8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F3FC07_2_058F3FC0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F8B607_2_058F8B60
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F8B707_2_058F8B70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0044900F8_2_0044900F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004042EB8_2_004042EB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004142818_2_00414281
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004102918_2_00410291
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004063BB8_2_004063BB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004156248_2_00415624
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0041668D8_2_0041668D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040477F8_2_0040477F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040487C8_2_0040487C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043589B8_2_0043589B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043BA9D8_2_0043BA9D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043FBD38_2_0043FBD3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0044900F12_2_0044900F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_004042EB12_2_004042EB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0041428112_2_00414281
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0041029112_2_00410291
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_004063BB12_2_004063BB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0041562412_2_00415624
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0041668D12_2_0041668D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040477F12_2_0040477F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040487C12_2_0040487C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0043589B12_2_0043589B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0043BA9D12_2_0043BA9D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0043FBD312_2_0043FBD3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044465C appears 36 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044466E appears 40 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 68 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 72 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 72 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 132 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0042F6EF appears 32 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 174 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 64 times
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E1398 NtUnmapViewOfSection,7_2_058E1398
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,8_2_0040978A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,12_2_0040978A
          Source: DHL_AWB 65335643399___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384048080.0000000000AD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameX509Constan.exe4 vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.602565955.0000000000B58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382825709.00000000006F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameX509Constan.exe4 vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exeBinary or memory string: OriginalFilenameX509Constan.exe4 vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NbJgZAsv.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: DHL_AWB 65335643399___pdf.exeVirustotal: Detection: 26%
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile read: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeJump to behavior
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe "C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe"
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile created: C:\Users\user\AppData\Roaming\NbJgZAsv.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBB4.tmpJump to behavior
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@16/13@0/1
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,8_2_00418073
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,8_2_00417BE9
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,8_2_00413424
          Source: DHL_AWB 65335643399___pdf.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMutant created: \Sessions\1\BaseNamedObjects\LcfvXkhsWmtOAyNmKljqjUzj
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,8_2_004141E0
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: DHL_AWB 65335643399___pdf.exe, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: NbJgZAsv.exe.0.dr, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FABB53 push esp; ret 0_2_07FABB54
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444975 push ecx; ret 8_2_00444985
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444B90 push eax; ret 8_2_00444BA4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444B90 push eax; ret 8_2_00444BCC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00448E74 push eax; ret 8_2_00448E81
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0042CF44 push ebx; retf 0042h8_2_0042CF49
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00444975 push ecx; ret 12_2_00444985
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00444B90 push eax; ret 12_2_00444BA4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00444B90 push eax; ret 12_2_00444BCC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00448E74 push eax; ret 12_2_00448E81
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0042CF44 push ebx; retf 0042h12_2_0042CF49
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_004443B0
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: 0xBAAB9656 [Fri Mar 29 18:28:38 2069 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.57987288124
          Source: initial sampleStatic PE information: section name: .text entropy: 7.57987288124
          Source: DHL_AWB 65335643399___pdf.exe, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: DHL_AWB 65335643399___pdf.exe, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: DHL_AWB 65335643399___pdf.exe, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: DHL_AWB 65335643399___pdf.exe, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: NbJgZAsv.exe.0.dr, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: NbJgZAsv.exe.0.dr, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: NbJgZAsv.exe.0.dr, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: NbJgZAsv.exe.0.dr, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile created: C:\Users\user\AppData\Roaming\NbJgZAsv.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_00443A61
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.2e32b8c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 6540Thread sleep time: -32392s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 6580Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 7076Thread sleep count: 138 > 30Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 7076Thread sleep time: -138000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 6292Thread sleep time: -345600000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,8_2_0040978A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 172800000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0041829C memset,GetSystemInfo,8_2_0041829C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,8_2_0040938F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,8_2_00408CAC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,12_2_0040938F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,12_2_00408CAC
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 32392Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 172800000Jump to behavior
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: bhv7E75.tmp.13.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20211105T222051Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=acb40644ee59409e84e67afcd8be5637&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1241428&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1241428&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,8_2_0040978A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_004443B0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 269008Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3FE008Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 242008Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 267008Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 220008Jump to behavior
          .NET source code references suspicious native API functionsShow sources
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmpJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmpJump to behavior
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604722336.0000000002B87000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,8_2_00418137
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004083A1 GetVersionExW,8_2_004083A1
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avguard.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avp.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgui.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: mbam.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected MailPassViewShow sources
          Source: Yara matchFile source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606069695.0000000002CBB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6756, type: MEMORYSTR
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Yara detected WebBrowserPassView password recovery toolShow sources
          Source: Yara matchFile source: 17.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604722336.0000000002B87000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604997751.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604881484.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.458049589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.439502988.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.443122582.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.414637682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.414189798.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.394234087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.413703386.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.393712124.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.394776440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.429569305.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.428434291.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.445590834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.443616731.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.428849255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6452, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6740, type: MEMORYSTR
          Tries to steal Instant Messenger accounts or passwordsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Detected HawkEye RatShow sources
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation111Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsNative API11Scheduled Task/Job1Process Injection412Deobfuscate/Decode Files or Information11Credentials in Registry1File and Directory Discovery2Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information4Credentials In Files1System Information Discovery19SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery231Distributed Component Object ModelClipboard Data2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection412Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 516538 Sample: DHL_AWB 65335643399___pdf.exe Startdate: 05/11/2021 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Detected HawkEye Rat 2->46 48 11 other signatures 2->48 7 DHL_AWB 65335643399___pdf.exe 7 2->7         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\tmpBB4.tmp, XML 7->28 dropped 30 C:\...\DHL_AWB 65335643399___pdf.exe.log, ASCII 7->30 dropped 32 C:\Users\user\AppData\Roaming32bJgZAsv.exe, PE32 7->32 dropped 50 Injects a PE file into a foreign processes 7->50 11 DHL_AWB 65335643399___pdf.exe 8 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 34 192.168.2.1 unknown unknown 11->34 52 Writes to foreign memory regions 11->52 54 Allocates memory in foreign processes 11->54 56 Sample uses process hollowing technique 11->56 58 Injects a PE file into a foreign processes 11->58 17 vbc.exe 11->17         started        20 vbc.exe 1 11->20         started        22 vbc.exe 1 11->22         started        26 2 other processes 11->26 24 conhost.exe 15->24         started        signatures8 process9 signatures10 36 Tries to steal Instant Messenger accounts or passwords 17->36 38 Tries to steal Mail credentials (via file / registry access) 17->38 40 Tries to harvest and steal browser information (history, passwords, etc) 20->40

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL_AWB 65335643399___pdf.exe27%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          17.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1125438Download File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack100%AviraTR/Dropper.GenDownload File
          13.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
          8.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1125438Download File
          8.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1125438Download File
          7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          12.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1125438Download File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack100%AviraTR/Dropper.GenDownload File
          12.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1125438Download File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack100%AviraTR/Dropper.GenDownload File
          17.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.fontbureau.comoaj%(-0%Avira URL Cloudsafe
          https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
          https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
          http://www.zhongyicts.com.cnr-f0%Avira URL Cloudsafe
          http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.founder.com.cn/cnomp0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.sandoll.co.kr=0%Avira URL Cloudsafe
          http://www.carterandcone.comc0%URL Reputationsafe
          https://pki.goog/repository/00%URL Reputationsafe
          https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.monotype.00%Avira URL Cloudsafe
          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
          http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.carterandcone.com.0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htmg0%Avira URL Cloudsafe
          http://www.carterandcone.comR0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt0%URL Reputationsafe
          http://pomf.cat/upload.php0%Avira URL Cloudsafe
          https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.monotype.0%URL Reputationsafe
          http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg0%URL Reputationsafe
          http://www.carterandcone.comces0%URL Reputationsafe
          http://www.tiro.comn-u40%Avira URL Cloudsafe
          http://www.carterandcone.comen0%URL Reputationsafe
          http://www.tiro.comE0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          https://a.pomf.cat/0%Avira URL Cloudsafe
          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
          http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.fontbureau.comoaj%(-DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384884031.0000000001527000.00000004.00000040.sdmpfalse
          • Avira URL Cloud: safe
          		low
          https://www.google.com/chrome/static/css/main.v2.min.cssbhv7E75.tmp.13.drfalse
            		high
            http://www.msn.combhv7E75.tmp.13.drfalse
              		high
              http://www.fontbureau.com/designersDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                		high
                http://www.nirsoft.netvbc.exe, 00000008.00000002.406829834.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.424903467.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.439426621.000000000019C000.00000004.00000001.sdmp, vbc.exe, 00000011.00000002.457922865.000000000019C000.00000004.00000001.sdmpfalse
                  		high
                  https://deff.nelreports.net/api/report?cat=msnbhv7E75.tmp.13.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://contextual.media.net/__media__/js/util/nrrV9140.jsbhv7E75.tmp.13.drfalse
                    		high
                    https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhv7E75.tmp.13.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnr-fDHL_AWB 65335643399___pdf.exe, 00000000.00000003.339058782.0000000005D60000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhv7E75.tmp.13.drfalse
                      		high
                      https://www.google.com/chrome/bhv7E75.tmp.13.drfalse
                        		high
                        http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Zbhv7E75.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cnompDHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cnDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpfalse
                            		high
                            http://www.carterandcone.como.DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339720163.0000000005D5B000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.kr=DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337803826.0000000005D5B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=vbc.exe, 00000008.00000003.403565944.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454535819.00000000020ED000.00000004.00000001.sdmp, bhv7E75.tmp.13.drfalse
                              		high
                              https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhv7E75.tmp.13.drfalse
                                		high
                                http://www.carterandcone.comcDHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhv7E75.tmp.13.drfalse
                                  		high
                                  https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhv7E75.tmp.13.drfalse
                                    		high
                                    https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindexvbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403993310.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403428748.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403352721.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403250563.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422786505.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422243341.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422112434.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422184852.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436819908.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436279584.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436354749.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436415474.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhv7E75.tmp.13.drfalse
                                        		high
                                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gbhv7E75.tmp.13.drfalse
                                          		high
                                          https://pki.goog/repository/0bhv7E75.tmp.13.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhv7E75.tmp.13.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msnbhv7E75.tmp.13.drfalse
                                            		high
                                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736bhv7E75.tmp.13.drfalse
                                              		high
                                              http://www.carterandcone.comlDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339531363.0000000005D5B000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.msn.com/bhv7E75.tmp.13.drfalse
                                                		high
                                                http://www.monotype.0DHL_AWB 65335643399___pdf.exe, 00000000.00000003.346508093.0000000005D5B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhv7E75.tmp.13.drfalse
                                                  		high
                                                  https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhv7E75.tmp.13.drfalse
                                                    		high
                                                    https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9bhv7E75.tmp.13.drfalse
                                                      		high
                                                      https://www.google.com/accounts/serviceloginvbc.exefalse
                                                        		high
                                                        http://crl.pki.goog/gsr2/gsr2.crl0?bhv7E75.tmp.13.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://pki.goog/gsr2/GTSGIAG3.crt0)bhv7E75.tmp.13.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhv7E75.tmp.13.drfalse
                                                          		high
                                                          https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/vbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.404030985.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403320580.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422167377.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436340701.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/bTheDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.google.com/chrome/static/images/homepage/google-canary.pngbhv7E75.tmp.13.drfalse
                                                              		high
                                                              https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhv7E75.tmp.13.drfalse
                                                                		high
                                                                https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv7E75.tmp.13.drfalse
                                                                  		high
                                                                  https://www.google.com/chrome/static/js/main.v2.min.jsbhv7E75.tmp.13.drfalse
                                                                    		high
                                                                    https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpgbhv7E75.tmp.13.drfalse
                                                                      		high
                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhv7E75.tmp.13.drfalse
                                                                        		high
                                                                        http://www.carterandcone.com.DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.typography.netDDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://fontfabrik.comDHL_AWB 65335643399___pdf.exe, 00000000.00000003.336076136.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhv7E75.tmp.13.drfalse
                                                                          		high
                                                                          https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhv7E75.tmp.13.drfalse
                                                                            		high
                                                                            http://www.galapagosdesign.com/staff/dennis.htmgDHL_AWB 65335643399___pdf.exe, 00000000.00000003.346985285.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.carterandcone.comRDHL_AWB 65335643399___pdf.exe, 00000000.00000003.340178685.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEEbhv7E75.tmp.13.drfalse
                                                                              		high
                                                                              http://www.fonts.comDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.sandoll.co.krDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0bhv7E75.tmp.13.drfalse
                                                                                  		high
                                                                                  http://www.urwpp.deDHL_AWB 65335643399___pdf.exe, 00000000.00000003.342932704.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.345202768.0000000005D68000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtbhv7E75.tmp.13.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://pomf.cat/upload.phpDHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.google.com/chrome/static/js/installer.min.jsbhv7E75.tmp.13.drfalse
                                                                                    		high
                                                                                    https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhv7E75.tmp.13.drfalse
                                                                                      		high
                                                                                      http://bot.whatismyipaddress.com/DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv7E75.tmp.13.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.google.com/chrome/static/images/homepage/google-beta.pngbhv7E75.tmp.13.drfalse
                                                                                          		high
                                                                                          http://www.msn.com/de-ch/?ocid=iehpbhv7E75.tmp.13.drfalse
                                                                                            		high
                                                                                            https://www.google.com/chrome/static/images/icon-file-download.svgbhv7E75.tmp.13.drfalse
                                                                                              		high
                                                                                              http://www.fontbureau.com/designers/cabarga.htmlNDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.founder.com.cn/cnDHL_AWB 65335643399___pdf.exe, 00000000.00000003.338190350.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338273494.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.fontbureau.com/designers/cabarga.htmlDHL_AWB 65335643399___pdf.exe, 00000000.00000003.344674691.0000000005D7E000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344539855.0000000005D7E000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.monotype.DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342647297.0000000005D63000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhv7E75.tmp.13.drfalse
                                                                                                    		high
                                                                                                    https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9bhv7E75.tmp.13.drfalse
                                                                                                      		high
                                                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhv7E75.tmp.13.drfalse
                                                                                                        		high
                                                                                                        http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svgbhv7E75.tmp.13.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhv7E75.tmp.13.drfalse
                                                                                                          		high
                                                                                                          http://www.carterandcone.comcesDHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://www.google.com/chrome/static/images/folder-applications.svgbhv7E75.tmp.13.drfalse
                                                                                                            		high
                                                                                                            http://www.tiro.comn-u4DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338638321.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhv7E75.tmp.13.drfalse
                                                                                                              		high
                                                                                                              http://www.carterandcone.comenDHL_AWB 65335643399___pdf.exe, 00000000.00000003.339422429.0000000005D60000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://google.com/chromebhv7E75.tmp.13.drfalse
                                                                                                                		high
                                                                                                                https://www.google.com/chrome/static/images/chrome-logo.svgbhv7E75.tmp.13.drfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/chrome/static/images/homepage/homepage_features.pngbhv7E75.tmp.13.drfalse
                                                                                                                    		high
                                                                                                                    http://www.tiro.comEDHL_AWB 65335643399___pdf.exe, 00000000.00000003.340105341.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.sajatypeworks.comDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.334804967.0000000005D42000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.founder.com.cn/cn/cTheDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://a.pomf.cat/DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fbhv7E75.tmp.13.drfalse
                                                                                                                      		high
                                                                                                                      https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.pngbhv7E75.tmp.13.drfalse
                                                                                                                        		high
                                                                                                                        https://www.google.com/chrome/static/images/chrome_safari-behavior.jpgbhv7E75.tmp.13.drfalse
                                                                                                                          		high
                                                                                                                          http://www.msn.com/?ocid=iehpvbc.exe, 00000008.00000003.403942068.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455444203.00000000020E4000.00000004.00000001.sdmp, bhv7E75.tmp.13.drfalse
                                                                                                                            		high
                                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3bhv7E75.tmp.13.drfalse
                                                                                                                              		high
                                                                                                                              http://crl.pki.goog/GTS1O1core.crl0bhv7E75.tmp.13.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9bhv7E75.tmp.13.drfalse
                                                                                                                                		high
                                                                                                                                http://www.ascendercorp.com/typedesigners.htmlDHL_AWB 65335643399___pdf.exe, 00000000.00000003.341657296.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341284538.0000000005D63000.00000004.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://www.google.com/chrome/static/images/icon-announcement.svgbhv7E75.tmp.13.drfalse
                                                                                                                                  		high

                                                                                                                                  Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious

                                                                                                                                  Private

                                                                                                                                  IP
                                                                                                                                  192.168.2.1

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                  Analysis ID:516538
                                                                                                                                  Start date:05.11.2021
                                                                                                                                  Start time:15:20:12
                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 12m 54s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Sample file name:DHL_AWB 65335643399___pdf.exe
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                  Number of analysed new started processes analysed:29
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • HDC enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.phis.troj.spyw.evad.winEXE@16/13@0/1
                                                                                                                                  EGA Information:Failed
                                                                                                                                  HDC Information:
                                                                                                                                  • Successful, ratio: 0% (good quality ratio 0%)
                                                                                                                                  • Quality average: 77%
                                                                                                                                  • Quality standard deviation: 0%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                  • Number of executed functions: 230
                                                                                                                                  • Number of non-executed functions: 300
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Adjust boot time
                                                                                                                                  • Enable AMSI
                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                  Warnings:
                                                                                                                                  Show All
                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.107.43.16, 13.107.5.88
                                                                                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, arc.msn.com, ris.api.iris.microsoft.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, l-0007.dc-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  15:21:14API Interceptor5x Sleep call for process: DHL_AWB 65335643399___pdf.exe modified

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  No context

                                                                                                                                  Domains

                                                                                                                                  No context

                                                                                                                                  ASN

                                                                                                                                  No context

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  No context

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_AWB 65335643399___pdf.exe.log
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:modified
                                                                                                                                  Size (bytes):1216
                                                                                                                                  Entropy (8bit):5.355304211458859
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                  Malicious:true
                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                  C:\Users\user\AppData\Local\Temp\49b65733-2a7e-be56-685e-64260949479e
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):88
                                                                                                                                  Entropy (8bit):5.403819652846604
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Bpx9cCPOERwhkNvW0sKtKWBeNODnS501:Bpx939R/NvW0s1e
                                                                                                                                  MD5:9875EC0B7EB8D451315F9F1326AAEB67
                                                                                                                                  SHA1:E9871048F796D66A9E291BEAC8C22F2E5AA4C17F
                                                                                                                                  SHA-256:202ACD4716CF06B8A7E34DB56034BC4AD82E3BF3C7E3C3CF315E5F87BB5EF8B9
                                                                                                                                  SHA-512:406CBB37B4FB90E1154ECFF01B345915F12D22FD7E19E65DB7A7B961075B01D3014A4BC7B19F2BAEE0FFB565FE1A1A8A3258E21D5718B4FFD65FAB9DFBC4A3FC
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: GTXq6lZGCzVwlrIPDHEkHKLHTDwQ+W9qskpK9EEOMzECcgwr6lRJ0INBTQI/Ho3Cwgm7UnZunhkwo8Y4g7/03Q==
                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv3F87.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0xf6c62795, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26738688
                                                                                                                                  Entropy (8bit):0.877811164040784
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:5M+wP17f2sBMPHihgmKdTnjVccgeTaNX:9sBoT
                                                                                                                                  MD5:C7282CEAA3E3B01987F67DA5BF529677
                                                                                                                                  SHA1:A5D3B18A538855FEF53FA6D0F5BCD31131A5C916
                                                                                                                                  SHA-256:AE7D3AEFA17E7DFE40E329BA1E110383E1D7D6CFC29BD5D0489984295C7DB1EA
                                                                                                                                  SHA-512:D1E01AF046CC07D75DB0983B32B320EE11F4CD2CFCF332355C84B569BD38AFD3ADA4C77F73FFD5366A07433EEED0675AC71D2FE861FF69961BEF4A7C34D5A17E
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: ..'.... .......p........Ef..4...w........................%.....2....y..3....y..h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............yW......................................................................................................................................................................................................................................\5......y#q................%........yC.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv6484.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0x3860e4e7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26738688
                                                                                                                                  Entropy (8bit):0.882512226797484
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:3A+wP17f2svMPHihgmKdTnjVccgeTaNX:fsvoT
                                                                                                                                  MD5:57F8E33FDE23B8D15313B3B5EB91BF92
                                                                                                                                  SHA1:D6F6B34363DCE4E667B91E369AC32E5D0E8ABA9C
                                                                                                                                  SHA-256:6E110E32E80B10B430E18680289C39CB652090C9F09CD73ADB87534F9AAEE1C6
                                                                                                                                  SHA-512:C258DD9D1F84947D67C45EEAF40715A384A78A74E014D86209B78CD1121A957FF0BD618277529033D5E96C6289A69A3EC49C1B0D35A176283B27C76B8ED2D222
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: 8`..... .......p........Ef..4...w........................%.....2....y..3....y..h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............yW........................................................................................................................................................................................................................................N)....yC{...................V(....yc.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv7E75.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0x3860e4e7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26738688
                                                                                                                                  Entropy (8bit):0.882512226797484
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:3A+wP17f2svMPHihgmKdTnjVccgeTaNX:fsvoT
                                                                                                                                  MD5:57F8E33FDE23B8D15313B3B5EB91BF92
                                                                                                                                  SHA1:D6F6B34363DCE4E667B91E369AC32E5D0E8ABA9C
                                                                                                                                  SHA-256:6E110E32E80B10B430E18680289C39CB652090C9F09CD73ADB87534F9AAEE1C6
                                                                                                                                  SHA-512:C258DD9D1F84947D67C45EEAF40715A384A78A74E014D86209B78CD1121A957FF0BD618277529033D5E96C6289A69A3EC49C1B0D35A176283B27C76B8ED2D222
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: 8`..... .......p........Ef..4...w........................%.....2....y..3....y..h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............yW........................................................................................................................................................................................................................................N)....yC{...................V(....yc.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhvA016.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0x3860e4e7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26738688
                                                                                                                                  Entropy (8bit):0.882512226797484
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:3A+wP17f2svMPHihgmKdTnjVccgeTaNX:fsvoT
                                                                                                                                  MD5:57F8E33FDE23B8D15313B3B5EB91BF92
                                                                                                                                  SHA1:D6F6B34363DCE4E667B91E369AC32E5D0E8ABA9C
                                                                                                                                  SHA-256:6E110E32E80B10B430E18680289C39CB652090C9F09CD73ADB87534F9AAEE1C6
                                                                                                                                  SHA-512:C258DD9D1F84947D67C45EEAF40715A384A78A74E014D86209B78CD1121A957FF0BD618277529033D5E96C6289A69A3EC49C1B0D35A176283B27C76B8ED2D222
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: 8`..... .......p........Ef..4...w........................%.....2....y..3....y..h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............yW........................................................................................................................................................................................................................................N)....yC{...................V(....yc.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmp2427.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2
                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2
                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2
                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1653
                                                                                                                                  Entropy (8bit):5.161745901057222
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:7905247879184C91276AA846224B68E9
                                                                                                                                  SHA1:3F24CBA6359007C884F0DBAB1E66ADB90E3D5AA5
                                                                                                                                  SHA-256:1380B534164A7193F9DAF1ACD1614B2533BF67005D9DD7D4E1E08BE825A0A78B
                                                                                                                                  SHA-512:A303D15C69C7D7429E5876E02F0370B1C9BA2DA4DD807ABDE8F363B382ED55C93DBE81624CF693DA294F7120F7D6735CC475D704F19F9662550A9A52E765B4FF
                                                                                                                                  Malicious:true
                                                                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmpF619.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2
                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..
                                                                                                                                  C:\Users\user\AppData\Roaming\NbJgZAsv.exe
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):897024
                                                                                                                                  Entropy (8bit):7.575754263243903
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:52EF260EF62AAE29914F40CB8EAED7AC
                                                                                                                                  SHA1:CBA71C49AE1C145C6E9210685BE42F4AA24B0E18
                                                                                                                                  SHA-256:752EFE9AD078A9BE4A82B6F7C2123D58C90A1456287390B50DF9E9C3292BC490
                                                                                                                                  SHA-512:728F4B4590909C13A1CD9D0DDD90A6C75FDAD830ED44EDE67A1EB0CBD59476760507511E2F42D38545ABF11E3B08D85E95E8F04962094E012956D061E82425AE
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V...............................~.... ........@.. ....................................@.................................0...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........{...E...........................................................0..9.......+.&.........%..#.o...........%.r...p.%.r/..p.%....8.....*...B+.&.+.&..(.....*....+.&..*..+.&..*.^+.&...(....(!...("....*^+.&..(%....(....o.....*.0..........+.&.+.&. ....8o......(.......{.....(.......{.....(......s....}....8....& ....8/....rI..p}.... .....9....&.(&...8.... ............E........l...............-.......u... .....:....&..}....($...(#...9....& ....8......{.....{.....{....o....u....
                                                                                                                                  C:\Users\user\AppData\Roaming\NbJgZAsv.exe:Zone.Identifier
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26
                                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: [ZoneTransfer]....ZoneId=0

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Entropy (8bit):7.575754263243903
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                  File name:DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File size:897024
                                                                                                                                  MD5:52ef260ef62aae29914f40cb8eaed7ac
                                                                                                                                  SHA1:cba71c49ae1c145c6e9210685be42f4aa24b0e18
                                                                                                                                  SHA256:752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
                                                                                                                                  SHA512:728f4b4590909c13a1cd9d0ddd90a6c75fdad830ed44ede67a1eb0cbd59476760507511e2f42d38545abf11e3b08d85e95e8f04962094e012956d061e82425ae
                                                                                                                                  SSDEEP:24576:7HnOzw59zsorf4ep5TIAAkYc8xmGgTp5UVNH19:KITMepFYPxmjUVNV
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V...............................~.... ........@.. ....................................@................................

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x4db87e
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                  Time Stamp:0xBAAB9656 [Fri Mar 29 18:28:38 2069 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                                  OS Version Major:4
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:4
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:4
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xdb8300x4b.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x10ec.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x20000xd98840xd9a00False0.804097411689data7.57987288124IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rsrc0xdc0000x10ec0x1200False0.377170138889data4.90557056462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .reloc0xde0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                  RT_VERSION0xdc0a00x324data
                                                                                                                                  RT_MANIFEST0xdc3c40xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                                  Version Infos

                                                                                                                                  DescriptionData
                                                                                                                                  Translation0x0000 0x04b0
                                                                                                                                  LegalCopyrightCopyright 2020
                                                                                                                                  Assembly Version1.0.0.0
                                                                                                                                  InternalNameX509Constan.exe
                                                                                                                                  FileVersion1.0.0.0
                                                                                                                                  CompanyName
                                                                                                                                  LegalTrademarks
                                                                                                                                  Comments
                                                                                                                                  ProductNameMyNoteApp
                                                                                                                                  ProductVersion1.0.0.0
                                                                                                                                  FileDescriptionMyNoteApp
                                                                                                                                  OriginalFilenameX509Constan.exe

                                                                                                                                  Network Behavior

                                                                                                                                  No network behavior found

                                                                                                                                  Code Manipulations

                                                                                                                                  Statistics

                                                                                                                                  CPU Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  Memory Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  High Level Behavior Distribution

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  Behavior

                                                                                                                                  Click to jump to process

                                                                                                                                  System Behavior

                                                                                                                                  Analysis Process: DHL_AWB 65335643399___pdf.exe PID: 6536 Parent PID: 1344

                                                                                                                                  General

                                                                                                                                  Start time:15:21:04
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe"
                                                                                                                                  Imagebase:0xad0000
                                                                                                                                  File size:897024 bytes
                                                                                                                                  MD5 hash:52EF260EF62AAE29914F40CB8EAED7AC
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:low

                                                                                                                                  Chronological Activities

                                                                                                                                  Analysis Process: schtasks.exe PID: 6980 Parent PID: 6536

                                                                                                                                  General

                                                                                                                                  Start time:15:21:25
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
                                                                                                                                  Imagebase:0x1240000
                                                                                                                                  File size:185856 bytes
                                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Chronological Activities

                                                                                                                                  Analysis Process: conhost.exe PID: 6988 Parent PID: 6980

                                                                                                                                  General

                                                                                                                                  Start time:15:21:26
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff61de10000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Chronological Activities

                                                                                                                                  Analysis Process: DHL_AWB 65335643399___pdf.exe PID: 6996 Parent PID: 6536

                                                                                                                                  General

                                                                                                                                  Start time:15:21:26
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  Imagebase:0x6f0000
                                                                                                                                  File size:897024 bytes
                                                                                                                                  MD5 hash:52EF260EF62AAE29914F40CB8EAED7AC
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.604722336.0000000002B87000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.604997751.0000000002C11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.604881484.0000000002BE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.606069695.0000000002CBB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:low

                                                                                                                                  Chronological Activities

                                                                                                                                  Analysis Process: vbc.exe PID: 7116 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:21:31
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.394234087.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.393712124.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.394776440.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Chronological Activities

                                                                                                                                  Analysis Process: vbc.exe PID: 6436 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:21:41
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000000.414637682.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000000.414189798.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000000.413703386.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Chronological Activities

                                                                                                                                  Analysis Process: vbc.exe PID: 6452 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:21:48
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.439502988.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.429569305.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.428434291.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.428849255.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Chronological Activities

                                                                                                                                  Analysis Process: vbc.exe PID: 6740 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:21:55
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000002.458049589.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000000.443122582.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000000.445590834.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000000.443616731.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Chronological Activities

                                                                                                                                  Analysis Process: vbc.exe PID: 6756 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:23:00
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Chronological Activities

                                                                                                                                  Disassembly

                                                                                                                                  Code Analysis

                                                                                                                                  Reset < >

                                                                                                                                    Analysis Process: DHL_AWB 65335643399___pdf.exe PID: 6536 Parent PID: 1344 DHL_AWB 65335643399___pdf.exeCOMMON

                                                                                                                                    Executed Functions

                                                                                                                                    Function 07FA63A0, Relevance: .2, Instructions: 244COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f77b03091c05388adddd541929278b234d7b03f6bc8d08b37a28e4b647bca27f
                                                                                                                                    • Instruction ID: 409196be3dc3b000719c59884e65f06649055c4b72cc76b5fced0f7a46f17ff1
                                                                                                                                    • Opcode Fuzzy Hash: f77b03091c05388adddd541929278b234d7b03f6bc8d08b37a28e4b647bca27f
                                                                                                                                    • Instruction Fuzzy Hash: F4A1F2F4E04249DFDF04CFA9C64569EBBF2AB89304F288129D818EB349E7749945CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA6391, Relevance: .2, Instructions: 210COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5e8ce51a0a311a27f026a407eadcd32742c5494557db04b82dab9feea79b0e2d
                                                                                                                                    • Instruction ID: 844a0480057106ba1478b19159bfcef5b0613434ddfa47ce85ee086915d9c675
                                                                                                                                    • Opcode Fuzzy Hash: 5e8ce51a0a311a27f026a407eadcd32742c5494557db04b82dab9feea79b0e2d
                                                                                                                                    • Instruction Fuzzy Hash: 238115F4E05249DFDF04CFA9C64469EBBF2AB89300F28812AD809EB349E7349945CF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FABDB5, Relevance: .1, Instructions: 73COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8a0205aac7136e3a1cf394549b21ffb887d659054de9a9938acc1439e4778aa5
                                                                                                                                    • Instruction ID: 3c0bd62395f9c08f96c0db2feae8a6193875f8b6bcdd21253649789098544d52
                                                                                                                                    • Opcode Fuzzy Hash: 8a0205aac7136e3a1cf394549b21ffb887d659054de9a9938acc1439e4778aa5
                                                                                                                                    • Instruction Fuzzy Hash: 9731BAB5A0022DDFDB60DF64C884BE9BBB4AB09315F1484E9D508A3251DB329EC4CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA824E, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07FA848E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 963392458-0
                                                                                                                                    • Opcode ID: 67ebc83c9adc8197b7850f5f2a447e46e5b8f62ecab0c7fbaca2f754754fda17
                                                                                                                                    • Instruction ID: 734269cf2520bf545cd69f3f7f4c4a0015b0a4b04772d3eb8468717e41b9c6a9
                                                                                                                                    • Opcode Fuzzy Hash: 67ebc83c9adc8197b7850f5f2a447e46e5b8f62ecab0c7fbaca2f754754fda17
                                                                                                                                    • Instruction Fuzzy Hash: 12A14BB1D00219DFDF11DFA9C880BEEBBB6BF44354F188569D809A7240EB749985CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA8258, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07FA848E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 963392458-0
                                                                                                                                    • Opcode ID: bb4db7705cd0995b510053cfc1d0513f9a0813cc25a5eebee20ca20f6c1105b4
                                                                                                                                    • Instruction ID: 1ab82ede0dc8caf6e9d7dc9c9b71cf1a1832b2d859e8ff946a8983853433b355
                                                                                                                                    • Opcode Fuzzy Hash: bb4db7705cd0995b510053cfc1d0513f9a0813cc25a5eebee20ca20f6c1105b4
                                                                                                                                    • Instruction Fuzzy Hash: 6F913BB1D00219DFDF11DFA9C880BEEBBB6BF48354F188569D809A7240EB749985CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01509A08, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01509C4E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: c79a89ec2c20ee8b3c33754742d8d34d6346b96469c8ebf05e0b174a80ca91d4
                                                                                                                                    • Instruction ID: 22b7e19b32a800e27655c1d699348319d7cf22ba763f1c87f6a90dc18fb553d6
                                                                                                                                    • Opcode Fuzzy Hash: c79a89ec2c20ee8b3c33754742d8d34d6346b96469c8ebf05e0b174a80ca91d4
                                                                                                                                    • Instruction Fuzzy Hash: 67714870A00B058FDB65CFA9C04079AB7F5FF88214F008A2ED54ADBA95D775E845CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01503EF8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 01505769
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: bcc05c6d0d82f2d8542dac224c1303c75a2502ae7aa831de6ddba1890ade9785
                                                                                                                                    • Instruction ID: 794ef909f2927d0ba114891a5f54cf6c83cdd853063dc7a3299a63d5b83cd6d6
                                                                                                                                    • Opcode Fuzzy Hash: bcc05c6d0d82f2d8542dac224c1303c75a2502ae7aa831de6ddba1890ade9785
                                                                                                                                    • Instruction Fuzzy Hash: C541C2B1C00718CFDB25DFA9C884BDEBBB5BF48304F248569D409AB251EB756946CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 015056AC, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 01505769
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: 34ba2b90a92eabde961e8e4a6bb5fa2df3d905db9e7abc45d9141a9c43ffc448
                                                                                                                                    • Instruction ID: 8208bc71250221e3c0d556831f487f9813495c182aa72c5c817227e9194bbf64
                                                                                                                                    • Opcode Fuzzy Hash: 34ba2b90a92eabde961e8e4a6bb5fa2df3d905db9e7abc45d9141a9c43ffc448
                                                                                                                                    • Instruction Fuzzy Hash: 4241F5B1C00759CFDB25CFA9C884BDEBBB5BF48304F24856AD408AB251EB755946CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0150C3D7, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150C2DE,?,?,?,?,?), ref: 0150C39F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                    • Opcode ID: 99a82ef3ae98d0e2a6b1eed99aeb5775e44105c1719a607f0b77f5edc2899ee0
                                                                                                                                    • Instruction ID: 04b265aaee2df27af1a67749c3e2d455a16507b36a15cd527e6f98635215d36e
                                                                                                                                    • Opcode Fuzzy Hash: 99a82ef3ae98d0e2a6b1eed99aeb5775e44105c1719a607f0b77f5edc2899ee0
                                                                                                                                    • Instruction Fuzzy Hash: DE318F78A80341DFEB05AF65EC4DB693BA9F785300F50496AEA468F3C6CB30A804CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA7FC9, Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07FA8060
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                    • Opcode ID: 42725bc8f69d4839d7ded8b5c5716c9eb67aff90c447b882a7350600fa36153e
                                                                                                                                    • Instruction ID: 9a8b653cbbd52d73c998bbabc2dac90a8febd4b645a8323fce7af43271650441
                                                                                                                                    • Opcode Fuzzy Hash: 42725bc8f69d4839d7ded8b5c5716c9eb67aff90c447b882a7350600fa36153e
                                                                                                                                    • Instruction Fuzzy Hash: 5B2159B19003499FCB10CFA9C8847EEBBF4FF48324F14882EE919A7240D7749954CBA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA7FD0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07FA8060
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                    • Opcode ID: d5db01318cf292b9dceabd28c645f862de4726c2f408ca30f021a054794e269d
                                                                                                                                    • Instruction ID: 9fa59a159ad3b58e710e9a58ef0ff39680eb9407926d215eb2d0c4e3914657cb
                                                                                                                                    • Opcode Fuzzy Hash: d5db01318cf292b9dceabd28c645f862de4726c2f408ca30f021a054794e269d
                                                                                                                                    • Instruction Fuzzy Hash: 6F2127B1D003599FCB10DFA9C8847EEBBF5FF48354F148829E919A7240D7B99954CBA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA80B8, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07FA8140
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1726664587-0
                                                                                                                                    • Opcode ID: 6038c3b2bfa951b7e7c925028d754301220121733295ca4b591ac926769ab29b
                                                                                                                                    • Instruction ID: 47fdb7db91c7228b00183f59b94b7b2c09825b868fc86e6fd4e90161c92d9f42
                                                                                                                                    • Opcode Fuzzy Hash: 6038c3b2bfa951b7e7c925028d754301220121733295ca4b591ac926769ab29b
                                                                                                                                    • Instruction Fuzzy Hash: 482139B18002599FCB10DFA9D8807EEBBF5FF48324F54892EE518A7240C7759955CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0150BBD7, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150C2DE,?,?,?,?,?), ref: 0150C39F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                    • Opcode ID: 402a643b41c8d96ef478699f33241f72282d96a55996bfa17372fd68bdab3ce5
                                                                                                                                    • Instruction ID: ae468d259fb280c12ae42f16f8c9860b5fdf3f783751620cd3c34db9227c4699
                                                                                                                                    • Opcode Fuzzy Hash: 402a643b41c8d96ef478699f33241f72282d96a55996bfa17372fd68bdab3ce5
                                                                                                                                    • Instruction Fuzzy Hash: EF2125B5900249DFDB10CFE9D884AEEBBF8FB48320F14855AE914A7350D375AA50CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA7E30, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 07FA7EB6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContextThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1591575202-0
                                                                                                                                    • Opcode ID: d8d128d893da84541e28f5f7a6cd1971c1f7b5eb7e08f15d4884ebb16fecebcb
                                                                                                                                    • Instruction ID: e94dd892cb2a88a19e4ab0f295f5e08d1bfd86b7689b6e86049d787b02add496
                                                                                                                                    • Opcode Fuzzy Hash: d8d128d893da84541e28f5f7a6cd1971c1f7b5eb7e08f15d4884ebb16fecebcb
                                                                                                                                    • Instruction Fuzzy Hash: C9213AB6D002099FCB10DFA9C4847EFBBF5EF58224F54882AD419A7340DB789945CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0150BC4C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150C2DE,?,?,?,?,?), ref: 0150C39F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                    • Opcode ID: c22ce511cf46c495bf7647caa9a5500d6a2846c32f7c744e28afc348cf30ffd6
                                                                                                                                    • Instruction ID: 96af4aa5cf183d05c9800c0c8a6b31529f7e60da90c81b5fd96f9fd53ed3921b
                                                                                                                                    • Opcode Fuzzy Hash: c22ce511cf46c495bf7647caa9a5500d6a2846c32f7c744e28afc348cf30ffd6
                                                                                                                                    • Instruction Fuzzy Hash: 7E2114B5900209EFDB10CFAAD484AEEBBF8FB48320F14855AE914A7350D374A954CFA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0150C311, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150C2DE,?,?,?,?,?), ref: 0150C39F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                    • Opcode ID: 8ce458eb3198a13f38ab926a1c578dfa348a82739b4f18564df4d0950e75b35f
                                                                                                                                    • Instruction ID: 64b99c79031fc04da3a00b74341926b30cdc188e8e5f25852a5eb7d896f7f07d
                                                                                                                                    • Opcode Fuzzy Hash: 8ce458eb3198a13f38ab926a1c578dfa348a82739b4f18564df4d0950e75b35f
                                                                                                                                    • Instruction Fuzzy Hash: 1721E4B5D002099FDB10CFAAD884ADEBBF8FB48324F14851AE914A7350D375A954CFA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA7E38, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 07FA7EB6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContextThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1591575202-0
                                                                                                                                    • Opcode ID: 3953a2c35e13b9c225595e5ffc50b514b5a00781d2ec73d9d467fb9a51fcb065
                                                                                                                                    • Instruction ID: ff57bf86fc6463fb412c5c1c4555858621c2fa0d5a937eb61dc9d5e12063c198
                                                                                                                                    • Opcode Fuzzy Hash: 3953a2c35e13b9c225595e5ffc50b514b5a00781d2ec73d9d467fb9a51fcb065
                                                                                                                                    • Instruction Fuzzy Hash: AC2118B1D002099FCB10DFAAC4847EEBBF9EF48224F548829D519A7340DB78A945CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA80C0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07FA8140
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1726664587-0
                                                                                                                                    • Opcode ID: ba57d48a77f69b8580f9717504eaf1b533714143ab7644e1c25def7cdea69d47
                                                                                                                                    • Instruction ID: cc55e6b33607839dce8db84aa8d1e14ebb4f70d2d78bd220dedc097c501e69b3
                                                                                                                                    • Opcode Fuzzy Hash: ba57d48a77f69b8580f9717504eaf1b533714143ab7644e1c25def7cdea69d47
                                                                                                                                    • Instruction Fuzzy Hash: 4D2128B1C002599FCB10DFA9C8846EEBBF5FF48324F548829E518A7240D7799954CBA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01508DE0, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0150A0C9,00000800,00000000,00000000), ref: 0150A2DA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                    • Opcode ID: a7b0e803c9b241a5d671ae9a771074ebafd65818b39af8abfe723d14eb296043
                                                                                                                                    • Instruction ID: a48f53c11a6ba1a7afcc3285ab83a408d142d20511b62dc37c55ea8ade9bacef
                                                                                                                                    • Opcode Fuzzy Hash: a7b0e803c9b241a5d671ae9a771074ebafd65818b39af8abfe723d14eb296043
                                                                                                                                    • Instruction Fuzzy Hash: 872154B28043498FCB11CFEAC454ADEBBF8AF48324F04846AD559AB240C375A585CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01508DF8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0150A0C9,00000800,00000000,00000000), ref: 0150A2DA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                    • Opcode ID: ceb651e8392934e7bbd7738b08ea6d023aca3dfc6a04ffdc746a6a52517c39e4
                                                                                                                                    • Instruction ID: f5f4360f30ecd1d983d0fdfa43f8a4ce9ea9dd33ceadc6383cdd6d8eeb774889
                                                                                                                                    • Opcode Fuzzy Hash: ceb651e8392934e7bbd7738b08ea6d023aca3dfc6a04ffdc746a6a52517c39e4
                                                                                                                                    • Instruction Fuzzy Hash: DB11F2B69003598FDB10CFAAC444ADEFBF8FB48324F14852AE519AB240C375A945CFA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA7F08, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07FA7F7E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                    • Opcode ID: c51407e79de9e03e0b7832e31df43f4ab1a3322ddcedcb014a0dcf11c83e6dfe
                                                                                                                                    • Instruction ID: 1ef0d7fbf8973b7efea222fe4f22cd15645ae5f2438b1e6babaaed180f3de81a
                                                                                                                                    • Opcode Fuzzy Hash: c51407e79de9e03e0b7832e31df43f4ab1a3322ddcedcb014a0dcf11c83e6dfe
                                                                                                                                    • Instruction Fuzzy Hash: 8C1137B19002499FCB10DFA9D844BEFBBF9EF48324F148829E559A7250C7759A54CFA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA7D80, Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ResumeThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                    • Opcode ID: 92716564e29d54223054ea79a36897dffd09231b9852fc73cddd98d01b7a8b3e
                                                                                                                                    • Instruction ID: 1dc91bb5eedf7e8922e7798cbc05d4e9e581860a35283d36be33deef6a4af06b
                                                                                                                                    • Opcode Fuzzy Hash: 92716564e29d54223054ea79a36897dffd09231b9852fc73cddd98d01b7a8b3e
                                                                                                                                    • Instruction Fuzzy Hash: 4E115BB19003498FCB10DFAAC4447EFFBF9AF48328F24882ED419A7640C7756945CBA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0150A268, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0150A0C9,00000800,00000000,00000000), ref: 0150A2DA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                    • Opcode ID: 577ac59cdd5e48a9331d97050f25764403972b32051565eff3a290c6fe00b965
                                                                                                                                    • Instruction ID: d790feb922c5b16f4f943e5d922c96dade62346ec93e8df5e2ebad7ae24a6ffe
                                                                                                                                    • Opcode Fuzzy Hash: 577ac59cdd5e48a9331d97050f25764403972b32051565eff3a290c6fe00b965
                                                                                                                                    • Instruction Fuzzy Hash: F11103B68003499FDB10CFAAD444ADEFBF8EB88324F14852AE519A7600C375A545CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA7F10, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07FA7F7E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                    • Opcode ID: 896f08fbe01c5855deb513cec8d155322f577d2824f2fac7408a55fcc9ab06ae
                                                                                                                                    • Instruction ID: b2e4591e3f8801e2d0d954a661d841578773959d569317a69ffe454b77a5a9ff
                                                                                                                                    • Opcode Fuzzy Hash: 896f08fbe01c5855deb513cec8d155322f577d2824f2fac7408a55fcc9ab06ae
                                                                                                                                    • Instruction Fuzzy Hash: 5D1137B19002499FCB10DFA9C844BEFBBF9EF48324F148829E519A7250C775A954CFA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA7D88, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ResumeThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                    • Opcode ID: a0dac1275718c19aceaa750478eca81d9cdf4561d81941695378d375c7c95f0c
                                                                                                                                    • Instruction ID: 566cc476d43fa045ac5fa32e9a8582bdca2d3d3c49e74a4170ceab6d7369356d
                                                                                                                                    • Opcode Fuzzy Hash: a0dac1275718c19aceaa750478eca81d9cdf4561d81941695378d375c7c95f0c
                                                                                                                                    • Instruction Fuzzy Hash: 89110AB1D002498FCB10DFAAC8547EFFBF9EF88224F248829D519A7240D775A945CBA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01509BE8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01509C4E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: 2e64106831dd4d88bb46fcd24731a3b1c8d07d61c9ff288223bcb7545f8bbeb9
                                                                                                                                    • Instruction ID: 2bbfc372a4016739c6fe922ba4e3105701ba8967adb9c504c2c3c7d0ef477ca0
                                                                                                                                    • Opcode Fuzzy Hash: 2e64106831dd4d88bb46fcd24731a3b1c8d07d61c9ff288223bcb7545f8bbeb9
                                                                                                                                    • Instruction Fuzzy Hash: 5C110FB6C002498FDB10CF9AC444BDEFBF8FF88228F14852AD829A7200C375A545CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FAC610, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 07FAC66D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                    • Opcode ID: 761d484ab3c1c2e1a7e71240a481ad2474de5b1570aa136726b610503d162802
                                                                                                                                    • Instruction ID: 7df8b335332cfccd725d061b48f7d0791a49dfbed4746097d949d3f5670b71fa
                                                                                                                                    • Opcode Fuzzy Hash: 761d484ab3c1c2e1a7e71240a481ad2474de5b1570aa136726b610503d162802
                                                                                                                                    • Instruction Fuzzy Hash: 6C11D3B5800249DFDB10DF99D484BDEBBF8EB48324F148519D558A7300C375A954CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0146D766, Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384679397.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: _
                                                                                                                                    • API String ID: 0-701932520
                                                                                                                                    • Opcode ID: f8411e04219d1b2808d2bee39720ffa255940da436203a7e4eac3a74ee19ec14
                                                                                                                                    • Instruction ID: 7863c05779e66118b303acae9c0e4d201d66709cd4e82e3c068ddb73c83227df
                                                                                                                                    • Opcode Fuzzy Hash: f8411e04219d1b2808d2bee39720ffa255940da436203a7e4eac3a74ee19ec14
                                                                                                                                    • Instruction Fuzzy Hash: 89F05E759082908AEB105EA9D884356FFCCEF41239F18C59BDD584E296D37D9045CB63
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0146D7B5, Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384679397.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: _
                                                                                                                                    • API String ID: 0-701932520
                                                                                                                                    • Opcode ID: 7a3bb2468f7422b7b984a5d07f5c0400a1b1a59ca64d6ba8fc9e3dee3166fba1
                                                                                                                                    • Instruction ID: 5e72abae3a0e268b01edc84def50e2b4481b50cb0b379cb60f4ac82fcc2d10e6
                                                                                                                                    • Opcode Fuzzy Hash: 7a3bb2468f7422b7b984a5d07f5c0400a1b1a59ca64d6ba8fc9e3dee3166fba1
                                                                                                                                    • Instruction Fuzzy Hash: B0F0A031A083808AEB119F69D888352FBD8EF41239F18C15FDC480F29BD3B89444CBA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0146D4D8, Relevance: .1, Instructions: 66COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384679397.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 81282ee456425b569784b581cb73ea61755ebf5a2b21a32d226839adf5d2623d
                                                                                                                                    • Instruction ID: 8e2cf770c84324acd52fa69740dd6d782dce7fa3c11bfdfa27ed93ba6c176241
                                                                                                                                    • Opcode Fuzzy Hash: 81282ee456425b569784b581cb73ea61755ebf5a2b21a32d226839adf5d2623d
                                                                                                                                    • Instruction Fuzzy Hash: 7621A471A04240DFDB15CF54D880B56BF65FB8832CF2485AAE8450F666C336D856CBA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0147D034, Relevance: .1, Instructions: 61COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384715931.000000000147D000.00000040.00000001.sdmp, Offset: 0147D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3dbeb800058a85d279148e08e596624fd068a8d29d7f99ac6da86ff170052bfa
                                                                                                                                    • Instruction ID: e7b8174fe5555dcb642ccd8180bef4ae14cd271b61968743f8ad52154357b57f
                                                                                                                                    • Opcode Fuzzy Hash: 3dbeb800058a85d279148e08e596624fd068a8d29d7f99ac6da86ff170052bfa
                                                                                                                                    • Instruction Fuzzy Hash: E811AFB5904280DFDB16CF94D984B56BBA1FF84328F24C9AEE8094B356C336D857CB51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0147D1EC, Relevance: .1, Instructions: 61COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384715931.000000000147D000.00000040.00000001.sdmp, Offset: 0147D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 468558823b24a93f91569f37fa83fd4b7a4ab7815745735c5f5f28de9079a763
                                                                                                                                    • Instruction ID: 7d1a6b8453b2a55ed3a6f7545b1516bc2bd9998476408fe49f1fffdc7fe4acf1
                                                                                                                                    • Opcode Fuzzy Hash: 468558823b24a93f91569f37fa83fd4b7a4ab7815745735c5f5f28de9079a763
                                                                                                                                    • Instruction Fuzzy Hash: B9119D75A14200DFDB05CF94D980B66BBA1FF84328F24CAAEE8495B256C336D857CB61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0146D56A, Relevance: .0, Instructions: 49COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384679397.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b842269d85200b9194c2c56d70bc153603b5901ce15a049be6f998e6fcda1698
                                                                                                                                    • Instruction ID: e9e0c0f60db857e1a466d888507a2079eac6d018e50dfb1d12f6461833acda1a
                                                                                                                                    • Opcode Fuzzy Hash: b842269d85200b9194c2c56d70bc153603b5901ce15a049be6f998e6fcda1698
                                                                                                                                    • Instruction Fuzzy Hash: 3C118F75900240DFCB16CF54D580B16BFA2FB84328F24C6AAD8850E72AC336D456DBA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0147D275, Relevance: .0, Instructions: 46COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384715931.000000000147D000.00000040.00000001.sdmp, Offset: 0147D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f83fd3e46f755046ae595cfada74fe4849ce35cb66038b1763be7b0829940a54
                                                                                                                                    • Instruction ID: 4f7dac0f88deee2e2ab592e31980e5ed1d5820520c9c435fc1b5651fdc379f5f
                                                                                                                                    • Opcode Fuzzy Hash: f83fd3e46f755046ae595cfada74fe4849ce35cb66038b1763be7b0829940a54
                                                                                                                                    • Instruction Fuzzy Hash: 8A115A75900240DFDB16CF54D584B56BBA2FF84324F24CAAED8494B366C336D457CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0147D0BD, Relevance: .0, Instructions: 46COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384715931.000000000147D000.00000040.00000001.sdmp, Offset: 0147D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 65395141ed3333267739fa83505931e9fda7ff99caff38544ee22a380ce4a392
                                                                                                                                    • Instruction ID: 5a32870cdfe128271cef932356b130c28bdecf1eb76ee71efa2e466ab91cebc0
                                                                                                                                    • Opcode Fuzzy Hash: 65395141ed3333267739fa83505931e9fda7ff99caff38544ee22a380ce4a392
                                                                                                                                    • Instruction Fuzzy Hash: 43119AB5900280DFCB16CF54D584B56BBA2FF84328F24C6AED84A0B366C336D457CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 07FA0352, Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: .&n^$UUUU
                                                                                                                                    • API String ID: 0-454164
                                                                                                                                    • Opcode ID: e5413a2681aa57c056227c4db1427d62d17c25038c996b5f6f2a15b62c2bcf43
                                                                                                                                    • Instruction ID: 672c12d6bcb87ce8f08a0ab4683d8f12a63914162f3381e171669ffeee9d5905
                                                                                                                                    • Opcode Fuzzy Hash: e5413a2681aa57c056227c4db1427d62d17c25038c996b5f6f2a15b62c2bcf43
                                                                                                                                    • Instruction Fuzzy Hash: A4514BB0E116288FEBA4CF69CD81B8DB7F2BB48304F1486E9D55CE7245D6349A86CF14
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0150EBD8, Relevance: .3, Instructions: 315COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b37eccf927a44e296390a81d31b084e4bc4ec3f8caa2995128594ccb8bd06354
                                                                                                                                    • Instruction ID: 0c7d3051b7638ecb07557cf9bab46067345a12c8b3f8fc9240f5db16182e3e3a
                                                                                                                                    • Opcode Fuzzy Hash: b37eccf927a44e296390a81d31b084e4bc4ec3f8caa2995128594ccb8bd06354
                                                                                                                                    • Instruction Fuzzy Hash: D712D4F1C99746CADB10EF65F9882883BA1B7413ACBD04B08D2611FBD0D7B4296ACF44
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0150BF7C, Relevance: .3, Instructions: 265COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 72a9c72faa85f5f970a3a699bb4584b20671c403817bd43350e39852e509e7d9
                                                                                                                                    • Instruction ID: 3506d028d0320e90325b272197e8694c19c7036eb07fb23252721679bdc15d41
                                                                                                                                    • Opcode Fuzzy Hash: 72a9c72faa85f5f970a3a699bb4584b20671c403817bd43350e39852e509e7d9
                                                                                                                                    • Instruction Fuzzy Hash: 6CA14D32E0061ACFCF16DFE9C8445DDBBB2FF85300B25856AE905AF261EB35A955CB40
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0150EBCB, Relevance: .2, Instructions: 221COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.384825323.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dfde0aab7573a8a1e6cb87386e5c638f2d8797885c113c2d5343c8d571082b00
                                                                                                                                    • Instruction ID: 37c724be9e06759f24e2b8a52d0383f17f9554a43ef043cd4821b5d50ab36b3b
                                                                                                                                    • Opcode Fuzzy Hash: dfde0aab7573a8a1e6cb87386e5c638f2d8797885c113c2d5343c8d571082b00
                                                                                                                                    • Instruction Fuzzy Hash: A7C118B1C95746CADB10EF65F8882893B61BB453ACFD14B08D2616F7D0D7B4286ACF44
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA0006, Relevance: .1, Instructions: 130COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: fdb4883713df4bd2631c632bae7db96d78155bdc868c513b41b9044dea00ee3a
                                                                                                                                    • Instruction ID: b75d3529ae16ff05cfc38c823ced33dc79486a5d4044cec9b40041b98de2a3cf
                                                                                                                                    • Opcode Fuzzy Hash: fdb4883713df4bd2631c632bae7db96d78155bdc868c513b41b9044dea00ee3a
                                                                                                                                    • Instruction Fuzzy Hash: 9F5190B2E057589BDB19CF679C016CAFBF3AFC5210F08C1F6950CAA255EB3409868F51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07FA0040, Relevance: .1, Instructions: 100COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.392174472.0000000007FA0000.00000040.00000001.sdmp, Offset: 07FA0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b23b7ff253b92bea3b9232bbc95132c3f816b852959a2f7747720e5ea7e498c5
                                                                                                                                    • Instruction ID: ddf4ebe99e2bd9dd5c16ad884d9608740f3e31a56e086e9422d48ceb76f43713
                                                                                                                                    • Opcode Fuzzy Hash: b23b7ff253b92bea3b9232bbc95132c3f816b852959a2f7747720e5ea7e498c5
                                                                                                                                    • Instruction Fuzzy Hash: 0E4106B1E056589BEB1CCF6B8D4078AFAF7BFC9200F14C1FA990CA6255EB7005868F55
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Analysis Process: DHL_AWB 65335643399___pdf.exe PID: 6996 Parent PID: 6536 DHL_AWB 65335643399___pdf.exeCOMMON

                                                                                                                                    Executed Functions

                                                                                                                                    Function 058E1398, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26nativeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • NtUnmapViewOfSection.NTDLL ref: 058E13C5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: SectionUnmapView
                                                                                                                                    • String ID: y4i$
                                                                                                                                    • API String ID: 498011366-2620213625
                                                                                                                                    • Opcode ID: 665d6339058177c06ca39b14c38a7c0d36d7064de418ef7a53e271902d071489
                                                                                                                                    • Instruction ID: 6d84b273e1dbaea3c09ccc4f3719fa7327f58a91e38a1e832f90e5c8f2013039
                                                                                                                                    • Opcode Fuzzy Hash: 665d6339058177c06ca39b14c38a7c0d36d7064de418ef7a53e271902d071489
                                                                                                                                    • Instruction Fuzzy Hash: D8F03C70E042698FDB218B14C9887D9BBB2BB26308F1485C9C989A7350C3B54DC5CF11
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E033C, Relevance: 1.7, APIs: 1, Instructions: 158processCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 058E1D64
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 963392458-0
                                                                                                                                    • Opcode ID: d9c8cac8321ed67b5dd71eacab1e6b3955e20ae846d1514afb1cb9dc5336ceac
                                                                                                                                    • Instruction ID: 16bad22141ac20e650d9b53dbd6a3faded1df361cc5965fbb303eb16f38f0cab
                                                                                                                                    • Opcode Fuzzy Hash: d9c8cac8321ed67b5dd71eacab1e6b3955e20ae846d1514afb1cb9dc5336ceac
                                                                                                                                    • Instruction Fuzzy Hash: DB51167190126ADFDF24CF99C984BDDBBB5BF48304F1084AAE909B7240D7719A89CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E1C15, Relevance: 1.7, APIs: 1, Instructions: 157processCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 058E1D64
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 963392458-0
                                                                                                                                    • Opcode ID: aa232d439477ab9d3f4124d0d4a3c45f9641da0d7f8bf061043508bf439481d1
                                                                                                                                    • Instruction ID: 42470e640614d04615b6592f9ffac2515ab5e6c427a880d98bf2b7a8ecf31bb0
                                                                                                                                    • Opcode Fuzzy Hash: aa232d439477ab9d3f4124d0d4a3c45f9641da0d7f8bf061043508bf439481d1
                                                                                                                                    • Instruction Fuzzy Hash: 9251057190126ACFDF24CFA5C984BDDBBB5BF48304F1484AAE909B7240D7719A89CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058FCCAC, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058FCDCA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607379764.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                    • Opcode ID: ed2a79a383bee921842fb9b96db371cf86022c868a8c8af56a44e61809cee20a
                                                                                                                                    • Instruction ID: e611407ba66cb97956b7088fbbebbb3c0a21a90d4500cbc8af070b3564e37770
                                                                                                                                    • Opcode Fuzzy Hash: ed2a79a383bee921842fb9b96db371cf86022c868a8c8af56a44e61809cee20a
                                                                                                                                    • Instruction Fuzzy Hash: FF51D0B1D0030D9FDB14CF9AC884ADEBBB5BF88314F24812AE915AB210D775A955CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058FCCB8, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058FCDCA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607379764.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                    • Opcode ID: c83b1c5f5061c465bf155ce7f61cc8a5301139c4fcb5281dd5ab66e4011818ab
                                                                                                                                    • Instruction ID: 60953e3122e0f2dac708a8ba3237b6843825366fd2d31a7ab14baa7ec40a110e
                                                                                                                                    • Opcode Fuzzy Hash: c83b1c5f5061c465bf155ce7f61cc8a5301139c4fcb5281dd5ab66e4011818ab
                                                                                                                                    • Instruction Fuzzy Hash: 3D51CEB1D0430D9FDF14CF9AC884ADEBBB5BF88314F24812AE919AB210D775A955CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058F1B54, Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNELBASE(?), ref: 058F1C47
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607379764.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                    • Opcode ID: 997f96f9b088a06b46f485468121c45f8473addbc372d81063e9c70377df2aea
                                                                                                                                    • Instruction ID: d25f02da3f5c240ebc5793aebdcc1608a9ee8e2e2054a4bc681e5575d3d5dcb0
                                                                                                                                    • Opcode Fuzzy Hash: 997f96f9b088a06b46f485468121c45f8473addbc372d81063e9c70377df2aea
                                                                                                                                    • Instruction Fuzzy Hash: 994134B0D00259CFDB10CFA9C889B9EBBF1FB48318F14812AD855EB284E7759846CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058FE404, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 058FF849
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607379764.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallProcWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2714655100-0
                                                                                                                                    • Opcode ID: 8855a46d03eadf6189ebc2526db36b06da1b59a47bd2a90b3a1e4a2bd705d589
                                                                                                                                    • Instruction ID: 6eab3b06b3a4dd153f2c3648dfcb9f77df904f057866fe6aa82ad0e7e656db0f
                                                                                                                                    • Opcode Fuzzy Hash: 8855a46d03eadf6189ebc2526db36b06da1b59a47bd2a90b3a1e4a2bd705d589
                                                                                                                                    • Instruction Fuzzy Hash: C54149B5900209CFCB14CF99D488AAAFBF5FF8C314F248459DA19A7321D335A841CFA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058F1B60, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNELBASE(?), ref: 058F1C47
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607379764.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                    • Opcode ID: 2fea717e77d952d586a513175b2340ad75ad435095119a503f93ef909b64bde0
                                                                                                                                    • Instruction ID: 58083d96e7c92164397ddca09746bbb5392fd61d594fd64fd7a2b962c7a8e981
                                                                                                                                    • Opcode Fuzzy Hash: 2fea717e77d952d586a513175b2340ad75ad435095119a503f93ef909b64bde0
                                                                                                                                    • Instruction Fuzzy Hash: AA4122B0D00259DFDB10CFA9C888B9EBBF5FB48318F148129D955EB284DB759846CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E52C8, Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Clipboard
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 220874293-0
                                                                                                                                    • Opcode ID: 4c5e9d940f9af95aed524ede9b499c2fe1d2ec500cc479d70812eb938520a01b
                                                                                                                                    • Instruction ID: a70715957507968fdb27d18319cd0b463d04442b1d642e8b013146b1606d27cf
                                                                                                                                    • Opcode Fuzzy Hash: 4c5e9d940f9af95aed524ede9b499c2fe1d2ec500cc479d70812eb938520a01b
                                                                                                                                    • Instruction Fuzzy Hash: FE3100B0900219DFDB14CF99C885BDEBBF5EF49318F248029E804BB280D7756945CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E5775, Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Clipboard
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 220874293-0
                                                                                                                                    • Opcode ID: 292bf7bfe69a70e4cfb9cf2b713eb89f8c2ae18f64439d10434acd53b9208ee9
                                                                                                                                    • Instruction ID: 7d3fd7b4cbe64060496b7f32ced029a8766ff5cfed46a053a3ddd84b520ee63b
                                                                                                                                    • Opcode Fuzzy Hash: 292bf7bfe69a70e4cfb9cf2b713eb89f8c2ae18f64439d10434acd53b9208ee9
                                                                                                                                    • Instruction Fuzzy Hash: 103100B0D01219DFDB14CF99C885BDEBBF5EF49318F248069E804BB284D775A945CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0292663A, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,02926A4E,00000000,00000000), ref: 02926AE0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603989758.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                    • Opcode ID: 843644ba977d69fa3201494ba2b8d85e1d27fe55c1e5cc96921342ddf1e518ff
                                                                                                                                    • Instruction ID: 8124a95243d09049b26fd1ae7b56ded5048be3aa674aabcd7ec4486383dd310c
                                                                                                                                    • Opcode Fuzzy Hash: 843644ba977d69fa3201494ba2b8d85e1d27fe55c1e5cc96921342ddf1e518ff
                                                                                                                                    • Instruction Fuzzy Hash: 35216971A002598FCB10CF99D848BEEBBF8EF88324F148469E558A7341D774A985CBA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058FE898, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 058FE927
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607379764.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                    • Opcode ID: fdbe2556705d0fc7a33cb527998fd99920091a1f0b387fbf173f694f02d3df04
                                                                                                                                    • Instruction ID: 1601e6365b4232a93d3613f111bf59d6c1946a7b6f1a535d2044acfe1ecced74
                                                                                                                                    • Opcode Fuzzy Hash: fdbe2556705d0fc7a33cb527998fd99920091a1f0b387fbf173f694f02d3df04
                                                                                                                                    • Instruction Fuzzy Hash: 7D210FB59002099FDF10CFAAD884ADEFBF8EB48324F24841AE914A3350D374A955CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 02926644, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,02926A4E,00000000,00000000), ref: 02926AE0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603989758.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                    • Opcode ID: bce7c700aec0c097dc26c7601914dec72c9446d42c9d3f521836c7aa005a3166
                                                                                                                                    • Instruction ID: 16c178147d39b9104f7de9433c1e99be6b817666317e9d3cb1895f5adc731b5e
                                                                                                                                    • Opcode Fuzzy Hash: bce7c700aec0c097dc26c7601914dec72c9446d42c9d3f521836c7aa005a3166
                                                                                                                                    • Instruction Fuzzy Hash: B52159719002198FCB10CF9AC844BEFBBF9FB88324F248429E519A7740D774A985CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E2008, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 058E208C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                    • Opcode ID: 2dfe595f84d1efb902b4ce6f986c00330839f1f8222f7d2a412915af57eafea7
                                                                                                                                    • Instruction ID: ec43ba3b474687ff5b77ebc4919f3a09a7c01475e35f9080d21d2151c187dd13
                                                                                                                                    • Opcode Fuzzy Hash: 2dfe595f84d1efb902b4ce6f986c00330839f1f8222f7d2a412915af57eafea7
                                                                                                                                    • Instruction Fuzzy Hash: A32114B590021A9FCB10CF99C884BDEBBF8FF48324F14802AE915A7240D379A954CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 02926A60, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,02926A4E,00000000,00000000), ref: 02926AE0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603989758.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                    • Opcode ID: 6d74f0b232318a43b853d3a4251dbc3ecf89a649558de5c6d65615655c096fd2
                                                                                                                                    • Instruction ID: ff0a53fc2dd7f183461ba7496088824ed0dec256ec688d4b20a0bdcb41a986ad
                                                                                                                                    • Opcode Fuzzy Hash: 6d74f0b232318a43b853d3a4251dbc3ecf89a649558de5c6d65615655c096fd2
                                                                                                                                    • Instruction Fuzzy Hash: AA215C719002098FCB14CF99C844BEEBBF9FF88324F148429D458A7340DB75A985CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 02926890, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumResourceTypesW.KERNEL32(?,00000000,?), ref: 02926910
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603989758.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumResourceTypes
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 29811550-0
                                                                                                                                    • Opcode ID: bfdcae70dfc2150c1ff52cdcf250efd4124e461a737c2ef7381c37e6c5d02ec6
                                                                                                                                    • Instruction ID: 9dc926f24844bb0163d6a4c97f6d37559d3b68bd67c39f340fca4080f91d76e1
                                                                                                                                    • Opcode Fuzzy Hash: bfdcae70dfc2150c1ff52cdcf250efd4124e461a737c2ef7381c37e6c5d02ec6
                                                                                                                                    • Instruction Fuzzy Hash: ED2148719002198FCB14CFAAC844BEEFBF9EF88324F14842AD854A3650DB75A945CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058FE8A0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 058FE927
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607379764.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                    • Opcode ID: 6afe03912bee8eaa211bc9c28e955d6bc19897a8ea3b06367b44e109651ae8e4
                                                                                                                                    • Instruction ID: 37f2033bca0df824788951ba39492a02bbc785cfd2e549a1b86a761f01fb5f6f
                                                                                                                                    • Opcode Fuzzy Hash: 6afe03912bee8eaa211bc9c28e955d6bc19897a8ea3b06367b44e109651ae8e4
                                                                                                                                    • Instruction Fuzzy Hash: E421D2B59002099FDF50CFAAD984ADEFBF8FB48324F14841AE914A7310D375A955CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E2010, Relevance: 1.6, APIs: 1, Instructions: 62injectionCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 058E208C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                    • Opcode ID: 23b02fe8dcff300664c9e8802d1eb65a142513dbd6670551dbd71e3c17509c18
                                                                                                                                    • Instruction ID: 10b8fc355a3da67ba13261f277a59a78b04eae6dc9b8d88e2f95f111b6bf8d04
                                                                                                                                    • Opcode Fuzzy Hash: 23b02fe8dcff300664c9e8802d1eb65a142513dbd6670551dbd71e3c17509c18
                                                                                                                                    • Instruction Fuzzy Hash: BB21F5B5900209DFCB10CF99C884BDEBBF8FF49324F148429E915A7240D379A954CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 02926898, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumResourceTypesW.KERNEL32(?,00000000,?), ref: 02926910
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603989758.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumResourceTypes
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 29811550-0
                                                                                                                                    • Opcode ID: ddb67c8bdd2ac10bd795243c6b5d5cc2b4c4667d47e9317341bea666f4d001ac
                                                                                                                                    • Instruction ID: 86358ed808443c008fd146be138a4f61c0bb6184ec16dcf0120c8efb19786f3a
                                                                                                                                    • Opcode Fuzzy Hash: ddb67c8bdd2ac10bd795243c6b5d5cc2b4c4667d47e9317341bea666f4d001ac
                                                                                                                                    • Instruction Fuzzy Hash: 192123719002198FCB14CFAAC844BEEFBF9EF88324F14842AD415A3240DB78A955CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E1F41, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058E1FB9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1726664587-0
                                                                                                                                    • Opcode ID: 8f3dfade2eaa626c336d9814e54c1288590c70219e96ae3730a9c908b94c815a
                                                                                                                                    • Instruction ID: ae5a8b81baed6fab6e437ecd5e4bd9e7c32184aee3b93c12057e2d538e9fae4d
                                                                                                                                    • Opcode Fuzzy Hash: 8f3dfade2eaa626c336d9814e54c1288590c70219e96ae3730a9c908b94c815a
                                                                                                                                    • Instruction Fuzzy Hash: CC21F3B59002199FCB10CF9AD884BDEFBF8FB48324F10842AE918A7200D375A955CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E4038, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 058E40B3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HookWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2559412058-0
                                                                                                                                    • Opcode ID: a834c629f37cef18e7e7967dba83e5c0e84e12564c6f9fd1bc2c57383f8f8dcb
                                                                                                                                    • Instruction ID: 511725b9c81f2f1baef5bf82899e2489e4ac3c95ae3870b86bcf99fbb8afeb2a
                                                                                                                                    • Opcode Fuzzy Hash: a834c629f37cef18e7e7967dba83e5c0e84e12564c6f9fd1bc2c57383f8f8dcb
                                                                                                                                    • Instruction Fuzzy Hash: 3F2123719002098FCB54CF99C844BEEBBF9FB88324F148429D819A7250CB75A945CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E4030, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 058E40B3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HookWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2559412058-0
                                                                                                                                    • Opcode ID: 8215e5614cb81d1e4dbba8b655daa40d909eb1c564f30263bdbbdd4cfbe71750
                                                                                                                                    • Instruction ID: 87b3a96b3561a5379692064e764f4e6a372759dcf28f75a319aa02a53f898f4d
                                                                                                                                    • Opcode Fuzzy Hash: 8215e5614cb81d1e4dbba8b655daa40d909eb1c564f30263bdbbdd4cfbe71750
                                                                                                                                    • Instruction Fuzzy Hash: 252154B19002498FCF50CFA9C844BEEBBF5FF88324F14842AD819A7250CB74A945CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E1E80, Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetThreadContext.KERNELBASE(?,00000000), ref: 058E1EF3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContextThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1591575202-0
                                                                                                                                    • Opcode ID: 2620d2ae1e754873a0fbde294384da60416dd749a2b6d412aebb24d991ac89f4
                                                                                                                                    • Instruction ID: 8fcf5fc5fb986f8f2cb5c8005064fa9e358a069d339caf5f1b2c05680dd3c5b7
                                                                                                                                    • Opcode Fuzzy Hash: 2620d2ae1e754873a0fbde294384da60416dd749a2b6d412aebb24d991ac89f4
                                                                                                                                    • Instruction Fuzzy Hash: 842106B2D0025A8FCB10CF9AC845BDEBBF4FB89324F148429D858A7740D779A945CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E1F48, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058E1FB9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1726664587-0
                                                                                                                                    • Opcode ID: 04e12cc02336d676075031093e6349f3923ce4895d8b8d3af21b7e8435399526
                                                                                                                                    • Instruction ID: 197dcbe663dd11fa268b6eeb8d7ea8badfda202ea0eba7643a267c1bc240cfa6
                                                                                                                                    • Opcode Fuzzy Hash: 04e12cc02336d676075031093e6349f3923ce4895d8b8d3af21b7e8435399526
                                                                                                                                    • Instruction Fuzzy Hash: D221E3B5900259DFCB10CF9AD984BDEFBF8FB48324F10842AE918A7200D375A955CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E1E88, Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetThreadContext.KERNELBASE(?,00000000), ref: 058E1EF3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContextThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1591575202-0
                                                                                                                                    • Opcode ID: 9cb366d665726282ba1b63f9d4d459adf264313b1f43e83f4957f26130f68ac4
                                                                                                                                    • Instruction ID: 579700b6ffb0816a8195eacdf1c55c998eff72306959f6ec71d32b6138e6a113
                                                                                                                                    • Opcode Fuzzy Hash: 9cb366d665726282ba1b63f9d4d459adf264313b1f43e83f4957f26130f68ac4
                                                                                                                                    • Instruction Fuzzy Hash: F91114B1D0024A8FCB10CF9AC844BDEFBF8FB89324F148029D858A3600D779A945CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058FBCC8, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 058FBD36
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607379764.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: 32634035d00c82c1ca58c227d464c5f0b764d8d11eed3ac0e7c4922171fb9c46
                                                                                                                                    • Instruction ID: d170e0035a644042cdc4cffb7b30b9bd558adbe3ea3c13abf3ab195348aa1956
                                                                                                                                    • Opcode Fuzzy Hash: 32634035d00c82c1ca58c227d464c5f0b764d8d11eed3ac0e7c4922171fb9c46
                                                                                                                                    • Instruction Fuzzy Hash: 6E11D3B58006498FDB10DF9AC844BDEFBF4EF89224F148569D919A7200D379A946CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058FAA64, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 058FBD36
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607379764.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: 501158fcb6a44fef65623be574763b8894c9fa0a216876ed36f0b44ea8cc11f2
                                                                                                                                    • Instruction ID: bccc29328f6ce913469a22f8be3b36d4c6430a7ad6a0d130f874074d07646de3
                                                                                                                                    • Opcode Fuzzy Hash: 501158fcb6a44fef65623be574763b8894c9fa0a216876ed36f0b44ea8cc11f2
                                                                                                                                    • Instruction Fuzzy Hash: 461103B58002498FCB10DF9AC444ADEFBF4EF49224F148429D919A7200D379A946CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E44EC, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 058E568D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Initialize
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2538663250-0
                                                                                                                                    • Opcode ID: de07b86d5fac409f1e6fe8ea40eaef6835350f2ca1e6f2b9d04d69417533118a
                                                                                                                                    • Instruction ID: 2f6dabad515012855161ffe2ab64c9dc2918c75881d0ffc6dc073646e1d45104
                                                                                                                                    • Opcode Fuzzy Hash: de07b86d5fac409f1e6fe8ea40eaef6835350f2ca1e6f2b9d04d69417533118a
                                                                                                                                    • Instruction Fuzzy Hash: 491136B1900209CFCB10DF99C444BDEFBF8EB49328F248459D919A7300D375A945CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E5633, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 058E568D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Initialize
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2538663250-0
                                                                                                                                    • Opcode ID: 43c3242a012922c7675b6cc6991fefb820cf2aba6bd8bf73a0109914c623505e
                                                                                                                                    • Instruction ID: 19dfb02108ff88d397e0999f3e9762f3457b8baa0983159ffc32e34a29faf369
                                                                                                                                    • Opcode Fuzzy Hash: 43c3242a012922c7675b6cc6991fefb820cf2aba6bd8bf73a0109914c623505e
                                                                                                                                    • Instruction Fuzzy Hash: A81103B59002498FCB20DF9AC584BDEFBF8EF49328F248459D919A7300D375A945CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E4104, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?), ref: 058E463F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                    • Opcode ID: dfaa6f3bb7d9e9fe2a1462bf8b3b766a686482f67fd32fce83c22b3069d77198
                                                                                                                                    • Instruction ID: 7fc14db78a84bd616218077986c7147683c5bb4b4599bf79892877072c30fca2
                                                                                                                                    • Opcode Fuzzy Hash: dfaa6f3bb7d9e9fe2a1462bf8b3b766a686482f67fd32fce83c22b3069d77198
                                                                                                                                    • Instruction Fuzzy Hash: A81123B08003498FCB10CF99C488B9EBBF8EB0A314F248819D919A7350D779A985CBA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E45DA, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?), ref: 058E463F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                    • Opcode ID: 66594116fd2ab29b81ae1762a08bb52302960676f550e25eb49a1a034f5272f2
                                                                                                                                    • Instruction ID: 7d413d2def6f0c1de02118063c5251b74459d98170c6f483b7fc22a739b4d541
                                                                                                                                    • Opcode Fuzzy Hash: 66594116fd2ab29b81ae1762a08bb52302960676f550e25eb49a1a034f5272f2
                                                                                                                                    • Instruction Fuzzy Hash: FD1123B080024A8FCB10CF99C484BDEBBF8EF09314F248819D928A7350D775A945CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E155C, Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                    • Opcode ID: de05ab916fad25382be910e22d74d9cdcfd63fb35734e027d9427e201191b60d
                                                                                                                                    • Instruction ID: ba92038ac942c5cbdef5f64a53818817c11a47dff4d0ce35ba95c9958d0bbf5a
                                                                                                                                    • Opcode Fuzzy Hash: de05ab916fad25382be910e22d74d9cdcfd63fb35734e027d9427e201191b60d
                                                                                                                                    • Instruction Fuzzy Hash: 0DF04F70A04268DFCF218B50C8587D8BBB1BB19308F1084C9DA4DA7251C3B55ED4CF15
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 058E169B, Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.607356910.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ResumeThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                    • Opcode ID: 609226e6f7f0ea2607aac1f191e26a14ae9ad0a89add5d6a006e88ee40e82c2c
                                                                                                                                    • Instruction ID: 992ddd38381a686763a1e06ae21082a3b5bae139f01e45a38374dea056e40c02
                                                                                                                                    • Opcode Fuzzy Hash: 609226e6f7f0ea2607aac1f191e26a14ae9ad0a89add5d6a006e88ee40e82c2c
                                                                                                                                    • Instruction Fuzzy Hash: 2FF01D74909258CFCB20CB18C95C7D8BBB0AB16318F1485C9D959A7291C7B55DC5CF01
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0108D4EC, Relevance: .1, Instructions: 75COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603509674.000000000108D000.00000040.00000001.sdmp, Offset: 0108D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 08c469e14d014fcb533d56c17a211a5d1b2e7e3b7d4c46fc341d93158277641f
                                                                                                                                    • Instruction ID: 96bd3b4c90d0944c83f0e32df2830b857e90a3e3e1caf401413fff83c0543df5
                                                                                                                                    • Opcode Fuzzy Hash: 08c469e14d014fcb533d56c17a211a5d1b2e7e3b7d4c46fc341d93158277641f
                                                                                                                                    • Instruction Fuzzy Hash: B2210D71508240DFDB05EF94D9C0B16BFA5FB84328F2486AED8850F286C336D456C7B1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0109D1D4, Relevance: .1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603553185.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7e677716d4f6a617e7fdec27a390099b44a69d1016a886ef8f7a69ad7a695d3a
                                                                                                                                    • Instruction ID: efef372c34dc4d7bce40b3886d4b6dde7df2081fc33afe481a834c0cde13ca6b
                                                                                                                                    • Opcode Fuzzy Hash: 7e677716d4f6a617e7fdec27a390099b44a69d1016a886ef8f7a69ad7a695d3a
                                                                                                                                    • Instruction Fuzzy Hash: 1F212571544200EFDF45CF94D9D0B1ABBA5FB84324F20C9EDE8894B246C336D846DB61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0109D0F4, Relevance: .1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603553185.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6ef9f5094e9de9eacee1bf08a03a05a99e89069994f635e157a8eae6759dbe4c
                                                                                                                                    • Instruction ID: fbad5a2c9ccb1c428dd81712a0f07cff2673775ff02b046c6379227502f79efa
                                                                                                                                    • Opcode Fuzzy Hash: 6ef9f5094e9de9eacee1bf08a03a05a99e89069994f635e157a8eae6759dbe4c
                                                                                                                                    • Instruction Fuzzy Hash: 8A21F6F2544240EFDF45DF94D9D0B2ABBA5FB84324F24C9A9E8890B246C336D446DBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0109D01C, Relevance: .1, Instructions: 71COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603553185.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 39700b653068622f3047ee36db799df863f91e048fa16f56ac64d83a995a8b5c
                                                                                                                                    • Instruction ID: e97016f0ded458ef05c04b99c7d122c695703c13f9a6eeffb697283532465119
                                                                                                                                    • Opcode Fuzzy Hash: 39700b653068622f3047ee36db799df863f91e048fa16f56ac64d83a995a8b5c
                                                                                                                                    • Instruction Fuzzy Hash: BE210471544240DFDF11DF94D9D4B2ABBA9FBC42A4F208AADE8890B246C336E447D761
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0108D4E7, Relevance: .1, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603509674.000000000108D000.00000040.00000001.sdmp, Offset: 0108D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a7d85455df3ea54cf3aba3b0efac5b37b78ef0d14b19c1e3f8f59425cab7dae7
                                                                                                                                    • Instruction ID: 7254329c11c73ab613b98f9f3ff5ebed32ed393c1744b489a29e3f99ffe98652
                                                                                                                                    • Opcode Fuzzy Hash: a7d85455df3ea54cf3aba3b0efac5b37b78ef0d14b19c1e3f8f59425cab7dae7
                                                                                                                                    • Instruction Fuzzy Hash: 6A11D376404280DFCB02DF54D5C4B16BFB2FB88324F24C6AAD8850B656C336D456CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0109D1CF, Relevance: .1, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603553185.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 28e1b8e01115b57a316b36ec44b19060ffa815e5d5fa698a4e18cc1574b44f31
                                                                                                                                    • Instruction ID: 90793daae6bc733b153ead361208146501d249d93024963207ce0ea80dccdf9b
                                                                                                                                    • Opcode Fuzzy Hash: 28e1b8e01115b57a316b36ec44b19060ffa815e5d5fa698a4e18cc1574b44f31
                                                                                                                                    • Instruction Fuzzy Hash: 2811BB75544280DFCF42CF54C5D0B15BBA1FB84224F28C6EDD8894B696C33AD44ADB61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0109D0EF, Relevance: .1, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603553185.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a7f091bad304d5ef67e1a8ef73b55f638485b248778bc7ad854251aca9a023fe
                                                                                                                                    • Instruction ID: c01d048a12a8d1695448aff8fe6208c961a99cad22a3fde142c98d62b531efd1
                                                                                                                                    • Opcode Fuzzy Hash: a7f091bad304d5ef67e1a8ef73b55f638485b248778bc7ad854251aca9a023fe
                                                                                                                                    • Instruction Fuzzy Hash: 1111B2B6544280DFDB12CF54D9D4B15FFB1FB84324F24C6AAD8484B646C33AD446DB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0109D017, Relevance: .1, Instructions: 52COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000007.00000002.603553185.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8a4749aaa1143ecd89aabb1bcccb91cac10c107c66891cff84cf2bb3473bcd5c
                                                                                                                                    • Instruction ID: 8ed932c1e53e7ee37d2d52d654f5608d07ec364bdae29b7901a2cbb0bba4621d
                                                                                                                                    • Opcode Fuzzy Hash: 8a4749aaa1143ecd89aabb1bcccb91cac10c107c66891cff84cf2bb3473bcd5c
                                                                                                                                    • Instruction Fuzzy Hash: 8611BF76544280DFDB12CF54D5D4B1ABFA1FB84324F24C6AAD8894B646C33AD44ACBA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Non-executed Functions

                                                                                                                                    Analysis Process: vbc.exe PID: 7116 Parent PID: 6996 vbc.exeCOMMON

                                                                                                                                    Executed Functions

                                                                                                                                    Function 0040978A, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 004097B2
                                                                                                                                      • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                      • Part of subcall function 004118EA: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992
                                                                                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004098B7
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004098CA
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004098DD
                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 004098F1
                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00409937
                                                                                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00409946
                                                                                                                                    • memset.MSVCRT ref: 00409964
                                                                                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00409997
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004099B7
                                                                                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 004099F7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                                                                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                    • API String ID: 594330280-3398334509
                                                                                                                                    • Opcode ID: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
                                                                                                                                    • Instruction ID: 2b0fa152ef01bef0fcdaafddb1ab82311fd8af30ec04a4c20003f9f52c8fe1fb
                                                                                                                                    • Opcode Fuzzy Hash: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
                                                                                                                                    • Instruction Fuzzy Hash: 7B815E71900219EFEF10EF95C885AAEBBB5FF44305F20806EF905B6292D7399E41CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004443B0, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                    • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                                    • API String ID: 2238633743-2107673790
                                                                                                                                    • Opcode ID: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
                                                                                                                                    • Instruction ID: bae3ddfd5a2cf1e2657d78bbfe85c411ed61fca9aeaa9a4901361c1bc58423a9
                                                                                                                                    • Opcode Fuzzy Hash: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
                                                                                                                                    • Instruction Fuzzy Hash: 5201E874940B44EFEB306F71CD09E07BAE4EF94B117118D2EE49A92A10D778E818CE54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413424, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413442
                                                                                                                                    • memset.MSVCRT ref: 00413457
                                                                                                                                    • Process32FirstW.KERNEL32(?,?), ref: 00413473
                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,00000000,?,?), ref: 004134B8
                                                                                                                                    • memset.MSVCRT ref: 004134DF
                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413514
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0041352E
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00413580
                                                                                                                                    • free.MSVCRT(-00000028), ref: 00413599
                                                                                                                                    • Process32NextW.KERNEL32(?,0000022C), ref: 004135E2
                                                                                                                                    • CloseHandle.KERNEL32(?,?,0000022C), ref: 004135F2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                    • API String ID: 1344430650-1740548384
                                                                                                                                    • Opcode ID: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
                                                                                                                                    • Instruction ID: 336025cd3e57628a03d53de68a5eb917573850932ab3a304507e713d781e6372
                                                                                                                                    • Opcode Fuzzy Hash: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
                                                                                                                                    • Instruction Fuzzy Hash: 3E518CB2C00118ABDB10DFA5DC84ADEF7B9AF95301F1040ABE508A3251DB799B84CF99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040938F, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00412880,*.*,?), ref: 004093A5
                                                                                                                                    • FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00412880,*.*,?), ref: 004093C3
                                                                                                                                    • wcslen.MSVCRT ref: 004093F3
                                                                                                                                    • wcslen.MSVCRT ref: 004093FB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFindwcslen$FirstNext
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2163959949-0
                                                                                                                                    • Opcode ID: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
                                                                                                                                    • Instruction ID: fe44496fd245f22b3294f1be8fcbf5b62ffed3b59158e7af3f9261faba672c79
                                                                                                                                    • Opcode Fuzzy Hash: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
                                                                                                                                    • Instruction Fuzzy Hash: CA11E97240A7019FD7149B64E884A9B73DCEF45324F204A3FF459E31C1EB78AC008718
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004141E0, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004141ED
                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004141FE
                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0041420E
                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 00414219
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                    • Opcode ID: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
                                                                                                                                    • Instruction ID: 4db2b1a63d72691fd362fce079069d1f86e41d88e51d490a39d61a138898f27d
                                                                                                                                    • Opcode Fuzzy Hash: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
                                                                                                                                    • Instruction Fuzzy Hash: A8019636A002156B8F155FA5DD4999F7FAAFFC67D0708803AF915CA221DB70C882C688
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00418073, Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00417F9B: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
                                                                                                                                      • Part of subcall function 00417F9B: malloc.MSVCRT ref: 00417FD2
                                                                                                                                      • Part of subcall function 00417F9B: free.MSVCRT(?), ref: 00417FE2
                                                                                                                                      • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004180ED
                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00418115
                                                                                                                                    • free.MSVCRT(00000000,?,00000000,?,00000000), ref: 0041811E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1355100292-0
                                                                                                                                    • Opcode ID: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
                                                                                                                                    • Instruction ID: 44f72dfadcd4ed0e6b0cb1466d7c09a20078aec04da8d2fdb22fffa922359726
                                                                                                                                    • Opcode Fuzzy Hash: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
                                                                                                                                    • Instruction Fuzzy Hash: 8A215076800118BEEB21ABA4CC449EF7BBCAF09344F1540ABE641D7211EB784EC587A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041829C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 004182A7
                                                                                                                                    • GetSystemInfo.KERNELBASE(00453D60,?,00000000,00442D20,?,?,?), ref: 004182B0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoSystemmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3558857096-0
                                                                                                                                    • Opcode ID: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
                                                                                                                                    • Instruction ID: 3c0be6fe3b5a6ffc89f5b68e380a6edd79d3b36df5ca7f17532ee32b6b8f0e73
                                                                                                                                    • Opcode Fuzzy Hash: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
                                                                                                                                    • Instruction Fuzzy Hash: 86E09235E01A242BE7117F767C07BDB26948F8A38AF04407BF904DA253EA6CCD414ADE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00411E4C, Relevance: 104.0, APIs: 43, Strings: 16, Instructions: 752COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00411EC2
                                                                                                                                    • wcsrchr.MSVCRT ref: 00411EDB
                                                                                                                                    • memset.MSVCRT ref: 0041202F
                                                                                                                                      • Part of subcall function 0040A94C: _wcslwr.MSVCRT ref: 0040AA14
                                                                                                                                      • Part of subcall function 0040A94C: wcslen.MSVCRT ref: 0040AA29
                                                                                                                                      • Part of subcall function 0040956D: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
                                                                                                                                      • Part of subcall function 0040956D: wcslen.MSVCRT ref: 004095CC
                                                                                                                                      • Part of subcall function 0040956D: wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
                                                                                                                                      • Part of subcall function 0040956D: memset.MSVCRT ref: 00409679
                                                                                                                                      • Part of subcall function 0040956D: memcpy.MSVCRT ref: 0040969A
                                                                                                                                      • Part of subcall function 0040ADD0: LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
                                                                                                                                      • Part of subcall function 0040ADD0: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4
                                                                                                                                      • Part of subcall function 004444B7: memcmp.MSVCRT ref: 0044455D
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F6A
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F7F
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F94
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410FA9
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410FBE
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FE4
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FF5
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041102D
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041103B
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411074
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411082
                                                                                                                                    • memset.MSVCRT ref: 0041204B
                                                                                                                                    • memset.MSVCRT ref: 00412061
                                                                                                                                    • memset.MSVCRT ref: 0041207D
                                                                                                                                    • wcslen.MSVCRT ref: 004120C4
                                                                                                                                    • wcslen.MSVCRT ref: 004120D1
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,?,00000104), ref: 004121C5
                                                                                                                                    • memset.MSVCRT ref: 0041217E
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 004079D1
                                                                                                                                      • Part of subcall function 00407991: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A23
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A3B
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A53
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A6B
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A83
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A8E
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A9C
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407ACB
                                                                                                                                    • memset.MSVCRT ref: 00412241
                                                                                                                                    • memset.MSVCRT ref: 0041225B
                                                                                                                                    • wcslen.MSVCRT ref: 00412275
                                                                                                                                    • wcslen.MSVCRT ref: 00412283
                                                                                                                                    • memset.MSVCRT ref: 004122FD
                                                                                                                                    • memset.MSVCRT ref: 00412317
                                                                                                                                    • wcslen.MSVCRT ref: 00412331
                                                                                                                                    • wcslen.MSVCRT ref: 0041233F
                                                                                                                                    • memset.MSVCRT ref: 004123C2
                                                                                                                                    • memset.MSVCRT ref: 004123E0
                                                                                                                                    • memset.MSVCRT ref: 004123FE
                                                                                                                                    • memset.MSVCRT ref: 00412573
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407AD9
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B08
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B16
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B45
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B53
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B82
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B90
                                                                                                                                      • Part of subcall function 00407991: SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB
                                                                                                                                    • wcslen.MSVCRT ref: 0041245B
                                                                                                                                    • wcslen.MSVCRT ref: 00412469
                                                                                                                                    • wcslen.MSVCRT ref: 004124AF
                                                                                                                                    • wcslen.MSVCRT ref: 004124BD
                                                                                                                                    • wcslen.MSVCRT ref: 00412503
                                                                                                                                    • wcslen.MSVCRT ref: 00412511
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004125DA
                                                                                                                                      • Part of subcall function 004442F9: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
                                                                                                                                      • Part of subcall function 004442F9: ??2@YAPAXI@Z.MSVCRT ref: 00444324
                                                                                                                                      • Part of subcall function 004442F9: memset.MSVCRT ref: 00444333
                                                                                                                                      • Part of subcall function 004442F9: ??3@YAXPAX@Z.MSVCRT ref: 00444356
                                                                                                                                      • Part of subcall function 004442F9: CloseHandle.KERNEL32(00000000), ref: 0044435D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memset$??2@??3@AddressByteCharCloseCredCurrentDirectoryEnumerateEnvironmentExpandFileHandleLibraryLoadMultiProcSizeStringsWide_wcsicmp_wcslwrmemcmpmemcpywcsncmpwcsrchr
                                                                                                                                    • String ID: %programfiles%\Sea Monkey$*.*$Chromium\User Data$Data\Profile$Google\Chrome SxS\User Data$Google\Chrome\User Data$Login Data$Opera$Opera Software\Opera Stable\Login Data$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$Vivaldi\User Data\Default\Login Data$Yandex\YandexBrowser\User Data\Default\Login Data$wand.dat
                                                                                                                                    • API String ID: 2195781745-1743926287
                                                                                                                                    • Opcode ID: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
                                                                                                                                    • Instruction ID: 7a0d4c8da9719b4bd57d9e34dd235b5097b77d6fd782259e08ea59ad0a0aa82b
                                                                                                                                    • Opcode Fuzzy Hash: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
                                                                                                                                    • Instruction Fuzzy Hash: 774293B2509344ABD720EBA5D985BDBB3ECBF84304F01092FF588D3191EBB8D545879A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FF55, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00403C8C: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
                                                                                                                                      • Part of subcall function 00403C8C: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
                                                                                                                                      • Part of subcall function 00403C8C: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
                                                                                                                                      • Part of subcall function 00403C8C: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC
                                                                                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF81
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00414266,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF9A
                                                                                                                                    • EnumResourceTypesW.KERNEL32 ref: 0040FFA1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                                                                                    • API String ID: 2744995895-28296030
                                                                                                                                    • Opcode ID: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
                                                                                                                                    • Instruction ID: 58268879d1a8d32d9d01966b45afca8998e7ac275f8ef3c48d75c103cdcc3135
                                                                                                                                    • Opcode Fuzzy Hash: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
                                                                                                                                    • Instruction Fuzzy Hash: A8518F71508745AFDB20AFA2DC49A9FB7A8FF45344F40083EF684E2152DB79D8848B5A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409CB0, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED
                                                                                                                                      • Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7
                                                                                                                                    • free.MSVCRT(00000000), ref: 00409E9F
                                                                                                                                      • Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E
                                                                                                                                    • memset.MSVCRT ref: 00409D85
                                                                                                                                      • Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
                                                                                                                                      • Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75
                                                                                                                                    • wcschr.MSVCRT ref: 00409DBD
                                                                                                                                    • memcpy.MSVCRT ref: 00409DF1
                                                                                                                                    • memcpy.MSVCRT ref: 00409E0C
                                                                                                                                    • memcpy.MSVCRT ref: 00409E27
                                                                                                                                    • memcpy.MSVCRT ref: 00409E42
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                    • API String ID: 3849927982-2252543386
                                                                                                                                    • Opcode ID: 25591710af33cd07455ce6db1f3b2dc3e075db32bc947d0e32b1a7c168253070
                                                                                                                                    • Instruction ID: 4efc6fce7ce7295637414d4ef923d95a635c1e3a2e0485d2030de31f1e6ccd1f
                                                                                                                                    • Opcode Fuzzy Hash: 25591710af33cd07455ce6db1f3b2dc3e075db32bc947d0e32b1a7c168253070
                                                                                                                                    • Instruction Fuzzy Hash: 4051FE71D40209ABEB50EFA5DC45B9EB7B8AF54304F15403BB504B72D2EB78AD048B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040299E, Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 250fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 004029C4
                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004029DB
                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 004029FC
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00402A07
                                                                                                                                    • memset.MSVCRT ref: 00402A20
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 00402C96
                                                                                                                                      • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                      • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                      • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                    • memset.MSVCRT ref: 00402A95
                                                                                                                                      • Part of subcall function 00408C93: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,000003FF,000003FF,00402B19,?,?,000003FF,00000000), ref: 00408CA5
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000000FF), ref: 00402B6E
                                                                                                                                      • Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                      • Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                      • Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                    • memset.MSVCRT ref: 00402BF7
                                                                                                                                    • memcpy.MSVCRT ref: 00402C0A
                                                                                                                                    • MultiByteToWideChar.KERNEL32 ref: 00402C31
                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00402C3A
                                                                                                                                    Strings
                                                                                                                                    • chp, xrefs: 004029E6
                                                                                                                                    • SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402A61
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Filememset$ByteCharMultiWide$FreeLibraryTemp$AddressChangeCloseCopyCreateDeleteDirectoryFindLoadLocalNameNotificationPathProcWindowsmemcpy
                                                                                                                                    • String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
                                                                                                                                    • API String ID: 1340729801-1844170479
                                                                                                                                    • Opcode ID: 81020742f08cd979592eeacad5d893b131c1d3e65ead4c73e8d07300279ec837
                                                                                                                                    • Instruction ID: 12325825b01e7d439ee1a457c4e284e7a4c6ca08c5b0c0223ff6c3e9a84d8d63
                                                                                                                                    • Opcode Fuzzy Hash: 81020742f08cd979592eeacad5d893b131c1d3e65ead4c73e8d07300279ec837
                                                                                                                                    • Instruction Fuzzy Hash: 61819172D00128ABDB11EBA5DC85AEE7778EF44314F1404BAF618F7291DB785F448B68
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409A23, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040978A: memset.MSVCRT ref: 004097B2
                                                                                                                                      • Part of subcall function 0040978A: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
                                                                                                                                      • Part of subcall function 0040978A: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
                                                                                                                                      • Part of subcall function 0040978A: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
                                                                                                                                      • Part of subcall function 0040978A: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
                                                                                                                                      • Part of subcall function 0040978A: _wcsicmp.MSVCRT ref: 004098B7
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
                                                                                                                                    • DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00409AC4
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
                                                                                                                                      • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                      • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                      • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                      • Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                    • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
                                                                                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
                                                                                                                                    • WriteFile.KERNELBASE(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00409B43
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00409B48
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409B4D
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409B52
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
                                                                                                                                    • API String ID: 327780389-4002013007
                                                                                                                                    • Opcode ID: 60cb4c962b787243aa5024f235936815de5306e01eef09160c9394b4f9a47f2d
                                                                                                                                    • Instruction ID: fb70aa460989ca239fd235d66d785af6871ae45b3eb53ae5652ba3f6cf74083a
                                                                                                                                    • Opcode Fuzzy Hash: 60cb4c962b787243aa5024f235936815de5306e01eef09160c9394b4f9a47f2d
                                                                                                                                    • Instruction Fuzzy Hash: B9411776900118BBCF119FA5DC499DFBFB9FF09760F108066F604A6252C7749E40DBA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410D36, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00410D59
                                                                                                                                    • memset.MSVCRT ref: 00410D6E
                                                                                                                                    • memset.MSVCRT ref: 00410D83
                                                                                                                                    • memset.MSVCRT ref: 00410D98
                                                                                                                                    • memset.MSVCRT ref: 00410DAD
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                      • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                      • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                      • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                    • wcslen.MSVCRT ref: 00410DD3
                                                                                                                                    • wcslen.MSVCRT ref: 00410DE4
                                                                                                                                    • wcslen.MSVCRT ref: 00410E1C
                                                                                                                                    • wcslen.MSVCRT ref: 00410E2A
                                                                                                                                    • wcslen.MSVCRT ref: 00410E63
                                                                                                                                    • wcslen.MSVCRT ref: 00410E71
                                                                                                                                    • memset.MSVCRT ref: 00410EF7
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                    • API String ID: 2775653040-2068335096
                                                                                                                                    • Opcode ID: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
                                                                                                                                    • Instruction ID: 4a87cbf5aa2277a33565dd90cff8ebe3000d96c1f720339e2901549eb91f8fd8
                                                                                                                                    • Opcode Fuzzy Hash: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
                                                                                                                                    • Instruction Fuzzy Hash: 8451517254121C66DB20E762DD86FCE737C9F85314F1104ABE108E6142EFB99AC4CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410F47, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00410F6A
                                                                                                                                    • memset.MSVCRT ref: 00410F7F
                                                                                                                                    • memset.MSVCRT ref: 00410F94
                                                                                                                                    • memset.MSVCRT ref: 00410FA9
                                                                                                                                    • memset.MSVCRT ref: 00410FBE
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                      • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                      • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                      • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                    • wcslen.MSVCRT ref: 00410FE4
                                                                                                                                    • wcslen.MSVCRT ref: 00410FF5
                                                                                                                                    • wcslen.MSVCRT ref: 0041102D
                                                                                                                                    • wcslen.MSVCRT ref: 0041103B
                                                                                                                                    • wcslen.MSVCRT ref: 00411074
                                                                                                                                    • wcslen.MSVCRT ref: 00411082
                                                                                                                                    • memset.MSVCRT ref: 00411108
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                    • API String ID: 2775653040-3369679110
                                                                                                                                    • Opcode ID: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
                                                                                                                                    • Instruction ID: 71a9fb945579d4cb0336c6bc71926503c314de5bf88e5d97c60d5b36565dc427
                                                                                                                                    • Opcode Fuzzy Hash: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
                                                                                                                                    • Instruction Fuzzy Hash: C3515E729012186ADB20EB51DD86FCF77BD9F85304F1140ABE208E2152EF799BC88B5D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413627, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                    • API String ID: 2238633743-70141382
                                                                                                                                    • Opcode ID: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
                                                                                                                                    • Instruction ID: f29cbade6603fc4a2ab0b3c2c5315d136f5cdb5c857cdf3d96e229ab99d62a04
                                                                                                                                    • Opcode Fuzzy Hash: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
                                                                                                                                    • Instruction Fuzzy Hash: 07F0B774940784ABDB316F759C09E06BEE0EFA8701721491EE1C153A54D779E040CF88
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040956D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00403B29: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F
                                                                                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
                                                                                                                                    • wcslen.MSVCRT ref: 004095CC
                                                                                                                                    • wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
                                                                                                                                    • memset.MSVCRT ref: 00409679
                                                                                                                                    • memcpy.MSVCRT ref: 0040969A
                                                                                                                                    • _wcsnicmp.MSVCRT ref: 004096DF
                                                                                                                                    • wcschr.MSVCRT ref: 00409707
                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 0040972B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                    • String ID: J$Microsoft_WinInet$Microsoft_WinInet_
                                                                                                                                    • API String ID: 1313344744-1864008983
                                                                                                                                    • Opcode ID: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
                                                                                                                                    • Instruction ID: ea1b4f48df4bf11ab27dc332c663e5edf47b9e63c97f7d7fc3a34612be846c77
                                                                                                                                    • Opcode Fuzzy Hash: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
                                                                                                                                    • Instruction Fuzzy Hash: A5511AB1D00209AFDF20DFA5C885AAEB7B8FF08304F14446AE919E7242D738AA45CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0044472E, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2827331108-0
                                                                                                                                    • Opcode ID: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
                                                                                                                                    • Instruction ID: 3deb3861b6046dda02d7dc4087396bab8fe4faf5ffc7b91e65a4640001166331
                                                                                                                                    • Opcode Fuzzy Hash: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
                                                                                                                                    • Instruction Fuzzy Hash: 3A51C279C00704DFEB30AFA5D8487AE77B4FB86711F20412BF451A7292D7788882CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A420, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040A444
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                      • Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A015
                                                                                                                                      • Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A02D
                                                                                                                                      • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A049
                                                                                                                                      • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A058
                                                                                                                                      • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A09F
                                                                                                                                      • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A0AE
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
                                                                                                                                    • wcschr.MSVCRT ref: 0040A4D0
                                                                                                                                    • wcschr.MSVCRT ref: 0040A4F0
                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
                                                                                                                                    • GetLastError.KERNEL32 ref: 0040A51F
                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A54B
                                                                                                                                    • FindCloseUrlCache.WININET(?), ref: 0040A55C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                    • String ID: visited:
                                                                                                                                    • API String ID: 615219573-1702587658
                                                                                                                                    • Opcode ID: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
                                                                                                                                    • Instruction ID: a8741c9f70935d188a110af9e9e8f96ccbc1ec5a4ffe9cc29b4dc234b75738c1
                                                                                                                                    • Opcode Fuzzy Hash: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
                                                                                                                                    • Instruction Fuzzy Hash: 5F419F72900219BBDB10EFA5DC85AAEBBB8FF44754F10406AE504F3281DB789E51CB99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409B7A, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED
                                                                                                                                    • memset.MSVCRT ref: 00409BC2
                                                                                                                                      • Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7
                                                                                                                                    • free.MSVCRT(000000FF,?,000000FF,00000000,00000104,747DF560), ref: 00409C90
                                                                                                                                      • Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E
                                                                                                                                      • Part of subcall function 00408FFD: wcslen.MSVCRT ref: 0040900C
                                                                                                                                      • Part of subcall function 00408FFD: _memicmp.MSVCRT ref: 0040903A
                                                                                                                                    • _snwprintf.MSVCRT ref: 00409C5C
                                                                                                                                      • Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
                                                                                                                                      • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                      • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                      • Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                    • API String ID: 2804212203-2982631422
                                                                                                                                    • Opcode ID: 016f43b69d351da20f18e3d08cfb22cc6f3daed84736ca8803c7e9159e0743c6
                                                                                                                                    • Instruction ID: b0f72644bbd87b50ea7a8f8ee73cfa3b4c243fbe701b8101a2a2b04dab44341a
                                                                                                                                    • Opcode Fuzzy Hash: 016f43b69d351da20f18e3d08cfb22cc6f3daed84736ca8803c7e9159e0743c6
                                                                                                                                    • Instruction Fuzzy Hash: 29319471D042196AEF50EFA5CC45ADEB7F8AF44344F11007BA519B3182DB38AE448B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A94C, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
                                                                                                                                      • Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA
                                                                                                                                      • Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                      • Part of subcall function 0040A420: memset.MSVCRT ref: 0040A444
                                                                                                                                      • Part of subcall function 0040A420: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
                                                                                                                                      • Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4D0
                                                                                                                                      • Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4F0
                                                                                                                                      • Part of subcall function 0040A420: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
                                                                                                                                      • Part of subcall function 0040A420: GetLastError.KERNEL32 ref: 0040A51F
                                                                                                                                      • Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A5DF
                                                                                                                                      • Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 0040A60D
                                                                                                                                      • Part of subcall function 0040A56F: _wcsupr.MSVCRT ref: 0040A627
                                                                                                                                      • Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A676
                                                                                                                                      • Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 0040A6A1
                                                                                                                                      • Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                    • _wcslwr.MSVCRT ref: 0040AA14
                                                                                                                                    • wcslen.MSVCRT ref: 0040AA29
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
                                                                                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                    • API String ID: 4091582287-4196376884
                                                                                                                                    • Opcode ID: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
                                                                                                                                    • Instruction ID: e8c4dab73010a582bcb55339b064a6b15101daee4fa053d2547f161988c3f8ed
                                                                                                                                    • Opcode Fuzzy Hash: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
                                                                                                                                    • Instruction Fuzzy Hash: C731D272700204AADB20BB6ACD41A9F7669EF80344F25087FB844FB1C6DB78DD91D699
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00444E7A, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 25COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??3@
                                                                                                                                    • String ID: `s]$hw]$p{]
                                                                                                                                    • API String ID: 613200358-339819022
                                                                                                                                    • Opcode ID: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
                                                                                                                                    • Instruction ID: 83d98c8e739894f4f11ae52403c2f1a0732df397c2cb69f7507dcdbda06e161a
                                                                                                                                    • Opcode Fuzzy Hash: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
                                                                                                                                    • Instruction Fuzzy Hash: F7E04DA070030136BB20AFBAFD44B0323CC3A90793326482FB406D73D2EE2CE840A52C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409FF2, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040A015
                                                                                                                                    • memset.MSVCRT ref: 0040A02D
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                    • wcslen.MSVCRT ref: 0040A049
                                                                                                                                    • wcslen.MSVCRT ref: 0040A058
                                                                                                                                    • wcslen.MSVCRT ref: 0040A09F
                                                                                                                                    • wcslen.MSVCRT ref: 0040A0AE
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                    • API String ID: 2036768262-2114579845
                                                                                                                                    • Opcode ID: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
                                                                                                                                    • Instruction ID: e8ec88334da27b7df1bd19bf5f92620076e348809ddf91dc3f5a530f518c7d73
                                                                                                                                    • Opcode Fuzzy Hash: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
                                                                                                                                    • Instruction Fuzzy Hash: F121A9B254021C55DB20E691DC85EDB73BCAF54314F5104BFF615E2081EBB8DA84465D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0044376F, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                    • API String ID: 3510742995-2641926074
                                                                                                                                    • Opcode ID: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
                                                                                                                                    • Instruction ID: 2a909f6aa8b78d8aa74dd045bbec2887fe81728cdb5ed6237a850f532ee9234f
                                                                                                                                    • Opcode Fuzzy Hash: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
                                                                                                                                    • Instruction Fuzzy Hash: 5A711CB1600201BFF310AF1ADC82B5AB798BB44719F15452FF45897782C7BDE9908B99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410A52, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00410C87: memset.MSVCRT ref: 00410CA3
                                                                                                                                      • Part of subcall function 00410C87: memset.MSVCRT ref: 00410CB8
                                                                                                                                      • Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410CE1
                                                                                                                                      • Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410D0A
                                                                                                                                    • memset.MSVCRT ref: 00410A9A
                                                                                                                                    • wcslen.MSVCRT ref: 00410AB1
                                                                                                                                    • wcslen.MSVCRT ref: 00410AB9
                                                                                                                                    • wcslen.MSVCRT ref: 00410B14
                                                                                                                                    • wcslen.MSVCRT ref: 00410B22
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memsetwcscat$wcscpy
                                                                                                                                    • String ID: history.dat$places.sqlite
                                                                                                                                    • API String ID: 2541527827-467022611
                                                                                                                                    • Opcode ID: 25ea34a281439d809f371ac1cf7c0884433c21bdeb59f3c4b6e0df9e4197b33a
                                                                                                                                    • Instruction ID: 16c00ee82f17989474e920b03892a6de4e18c3fe0141c7e4295d5dc86641310b
                                                                                                                                    • Opcode Fuzzy Hash: 25ea34a281439d809f371ac1cf7c0884433c21bdeb59f3c4b6e0df9e4197b33a
                                                                                                                                    • Instruction Fuzzy Hash: 17314571D041189ADF10EBA5DC89ACDB3B8AF50319F20457FE554F2182EB7C9A84CB58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00411CDB, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memsetwcscatwcscpy
                                                                                                                                    • String ID: Login Data$Web Data
                                                                                                                                    • API String ID: 3932597654-4228647177
                                                                                                                                    • Opcode ID: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
                                                                                                                                    • Instruction ID: 9a91d2e82c236d30763d7b9ebcc1a6cccb69c4478b10b945406aecd22e6d63c1
                                                                                                                                    • Opcode Fuzzy Hash: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
                                                                                                                                    • Instruction Fuzzy Hash: 46218B7250411C6ADB10EB55EC89FDA73ACAF50328F14487FF518E3191EBBCDAC44658
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B25F, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 51COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@
                                                                                                                                    • String ID: `s]$hw]$p{]
                                                                                                                                    • API String ID: 1033339047-339819022
                                                                                                                                    • Opcode ID: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
                                                                                                                                    • Instruction ID: 41d6ca53bbc25777d15e7d44d7af272a9a829ad4135043ac9a1f5f7c0c786f2e
                                                                                                                                    • Opcode Fuzzy Hash: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
                                                                                                                                    • Instruction Fuzzy Hash: ED0112F12023007FEB69DF38ED1772A66949B95393F00413FA506CD2F6EA79D5449B08
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417C9A, Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(?,-7FBE8982,00000003,00000000,?,?,00000000), ref: 00417D72
                                                                                                                                    • CreateFileA.KERNEL32(?,-7FBE8982,00000003,00000000,004175FE,004175FE,00000000), ref: 00417D8A
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417D99
                                                                                                                                    • free.MSVCRT(?), ref: 00417DA6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFile$ErrorLastfree
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 77810686-0
                                                                                                                                    • Opcode ID: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
                                                                                                                                    • Instruction ID: 35fec4397722218e6507e77f53b50855b574b2e4c8baf302a97b237cc2aa3bd3
                                                                                                                                    • Opcode Fuzzy Hash: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
                                                                                                                                    • Instruction Fuzzy Hash: D841F27150C3059FEB20CF25EC4179BBBF4EF84314F10892EF89592291D738DA848B96
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FC4E, Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@$DeleteHandleIconLoadModuleObjectmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3532479477-0
                                                                                                                                    • Opcode ID: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
                                                                                                                                    • Instruction ID: 6b7a5e441d588d9bc54ea64e01ff161f986e35cd5d296fb942180f783725d529
                                                                                                                                    • Opcode Fuzzy Hash: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
                                                                                                                                    • Instruction Fuzzy Hash: EA315EB19013888FDB30EF668C896CAB6E9BF45314F00863FE84DDB641DBB946448B59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410C87, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00410CA3
                                                                                                                                    • memset.MSVCRT ref: 00410CB8
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                      • Part of subcall function 00407DD1: wcslen.MSVCRT ref: 00407DD2
                                                                                                                                      • Part of subcall function 00407DD1: wcscat.MSVCRT ref: 00407DEA
                                                                                                                                    • wcscat.MSVCRT ref: 00410CE1
                                                                                                                                      • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                      • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                      • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                    • wcscat.MSVCRT ref: 00410D0A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                    • API String ID: 1534475566-1174173950
                                                                                                                                    • Opcode ID: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
                                                                                                                                    • Instruction ID: 1b820a25e8b0a88a2df896ef0368420f7b9c24777a221978b2b2a3cd549cec0e
                                                                                                                                    • Opcode Fuzzy Hash: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
                                                                                                                                    • Instruction Fuzzy Hash: 860152B294031C76EB20AB668C86EDB762C9F85358F0141AAB618B7142D97C9DC44AAD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004034E3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                      • Part of subcall function 00411E4C: memset.MSVCRT ref: 00411EC2
                                                                                                                                      • Part of subcall function 00411E4C: wcsrchr.MSVCRT ref: 00411EDB
                                                                                                                                      • Part of subcall function 00411BB2: SetCurrentDirectoryW.KERNEL32(?,?,?,00403557,?), ref: 00411BFF
                                                                                                                                    • memset.MSVCRT ref: 004035BC
                                                                                                                                    • memcpy.MSVCRT ref: 004035D0
                                                                                                                                    • wcscmp.MSVCRT ref: 004035F8
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040362F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1763786148-3916222277
                                                                                                                                    • Opcode ID: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
                                                                                                                                    • Instruction ID: bd143a35ad5b1b32f57d6bfe9876d60f7f1e4d0a05a181755c1d953110edcb1c
                                                                                                                                    • Opcode Fuzzy Hash: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
                                                                                                                                    • Instruction Fuzzy Hash: 24412A71D40229AADF20EFA5CC45ADEB7B8AF44318F1044ABE508B3241DB789B858F59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414558, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004144AB: LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
                                                                                                                                      • Part of subcall function 004144AB: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE
                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                    • memset.MSVCRT ref: 004145B1
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                    • wcscpy.MSVCRT ref: 00414626
                                                                                                                                      • Part of subcall function 004083A1: GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB
                                                                                                                                    Strings
                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004145CC, 004145DC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                    • API String ID: 2699640517-2036018995
                                                                                                                                    • Opcode ID: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
                                                                                                                                    • Instruction ID: e12ff53167afe07261100608862af2d586d512a8c684a17975878dc8bda8b34c
                                                                                                                                    • Opcode Fuzzy Hash: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
                                                                                                                                    • Instruction Fuzzy Hash: 42112B71800214BBEF20A759CC4EAEFB3BDDB85754F6100A7F914A2151E62C5FC5869E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413CFB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcschr.MSVCRT ref: 00413D15
                                                                                                                                    • _snwprintf.MSVCRT ref: 00413D3A
                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,0044BCA0), ref: 00413D58
                                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00413D70
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                    • String ID: "%s"
                                                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                                                    • Opcode ID: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
                                                                                                                                    • Instruction ID: 73e04fdb7293ad0563e201354ce1ff8293903967f03a71563bfd8de655adbfaf
                                                                                                                                    • Opcode Fuzzy Hash: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
                                                                                                                                    • Instruction Fuzzy Hash: 2401AD3240521EBBEF229F91EC45FDB3B6AFF04745F14806ABA1854062D779C660DB98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041337C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 0041338D
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 004133A7
                                                                                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 004133CA
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                                                    • Opcode ID: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
                                                                                                                                    • Instruction ID: da68f8d270a38a3c71bb0a1d73356e5427966c5ec0fa45e2ea30989c2ad8b33c
                                                                                                                                    • Opcode Fuzzy Hash: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
                                                                                                                                    • Instruction Fuzzy Hash: 41F01535140208AFEF108F91EC44B9A7BA9AB08B86F404026FE18C1162CB75DAA0DB5C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041EAC1, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcmp
                                                                                                                                    • String ID: @ $SQLite format 3
                                                                                                                                    • API String ID: 1475443563-3708268960
                                                                                                                                    • Opcode ID: e922d6e76d25ca0bc981f6f0caf64cc85a23792da3e792978c200f14c15407ff
                                                                                                                                    • Instruction ID: 378f5b88a64b421c164fea27eec5394a6c1f6cf5fd0cfe57e22cb817cc3972c5
                                                                                                                                    • Opcode Fuzzy Hash: e922d6e76d25ca0bc981f6f0caf64cc85a23792da3e792978c200f14c15407ff
                                                                                                                                    • Instruction Fuzzy Hash: 4E51C1B59002059BDF14DF6AC8817DAB7F4AF54314F15019BEC04EB34AE778EA85CB98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409EB7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00409A23: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
                                                                                                                                      • Part of subcall function 00409A23: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
                                                                                                                                      • Part of subcall function 00409A23: DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00409AC4
                                                                                                                                      • Part of subcall function 00409A23: GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
                                                                                                                                      • Part of subcall function 00409A23: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
                                                                                                                                      • Part of subcall function 00409A23: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
                                                                                                                                      • Part of subcall function 00409A23: WriteFile.KERNELBASE(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
                                                                                                                                      • Part of subcall function 00409A23: UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
                                                                                                                                      • Part of subcall function 00409A23: FindCloseChangeNotification.KERNELBASE(?), ref: 00409B43
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409F87
                                                                                                                                      • Part of subcall function 00409CB0: memset.MSVCRT ref: 00409D85
                                                                                                                                      • Part of subcall function 00409CB0: wcschr.MSVCRT ref: 00409DBD
                                                                                                                                      • Part of subcall function 00409CB0: memcpy.MSVCRT ref: 00409DF1
                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FA8
                                                                                                                                    • CloseHandle.KERNEL32(000000FF,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FCF
                                                                                                                                      • Part of subcall function 00409B7A: memset.MSVCRT ref: 00409BC2
                                                                                                                                      • Part of subcall function 00409B7A: _snwprintf.MSVCRT ref: 00409C5C
                                                                                                                                      • Part of subcall function 00409B7A: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,747DF560), ref: 00409C90
                                                                                                                                    Strings
                                                                                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409EC7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
                                                                                                                                    • API String ID: 3931293568-1514811420
                                                                                                                                    • Opcode ID: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
                                                                                                                                    • Instruction ID: 3f51e9d3f4722dee63ca69fa5b044a2e48b650b6030bfe0f748ec1b1a5da80f7
                                                                                                                                    • Opcode Fuzzy Hash: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
                                                                                                                                    • Instruction Fuzzy Hash: 65311CB1C006589BCF60DFA5CD855CDF7B8AF40314F1002AB9519F31A2DB755E858F58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E903, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmpqsort
                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                    • API String ID: 1579243037-1578091866
                                                                                                                                    • Opcode ID: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
                                                                                                                                    • Instruction ID: da88191f08b8b868428b3ed71d9c82d207ce8b6ace4e6628c3e2187065429015
                                                                                                                                    • Opcode Fuzzy Hash: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
                                                                                                                                    • Instruction Fuzzy Hash: 7521F271700502AFD714FF36C981A5AB3A9FF95304B01097FE459A72D2CB7ABC218B99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040ADD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00413ACB: FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7
                                                                                                                                    • LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                    • String ID: PStoreCreateInstance$pstorec.dll
                                                                                                                                    • API String ID: 145871493-2881415372
                                                                                                                                    • Opcode ID: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
                                                                                                                                    • Instruction ID: 165486c3e6602412b12b5041488cd1e6311a4fd56e7abe132b6c53b1702dbca2
                                                                                                                                    • Opcode Fuzzy Hash: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
                                                                                                                                    • Instruction Fuzzy Hash: D8F0E2302807125BEB206F76DC06B9B32D8AF44B4AF10C43EA052D55C1EBBCD4808B9D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0043A0F8, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043A1CA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset
                                                                                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                    • API String ID: 2221118986-1725073988
                                                                                                                                    • Opcode ID: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
                                                                                                                                    • Instruction ID: e3eeb75a8af282f970fbf78469263b11f6465a284568bf7e48a5e115ce459d1a
                                                                                                                                    • Opcode Fuzzy Hash: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
                                                                                                                                    • Instruction Fuzzy Hash: F1828771A00208AFDF24DF69C881AAE7BA1FF08314F14411AFD559B3A2D77AEC51CB95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004444B7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004443B0: LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D
                                                                                                                                    • memcmp.MSVCRT ref: 0044455D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoadmemcmp
                                                                                                                                    • String ID: $$8
                                                                                                                                    • API String ID: 2708812716-435121686
                                                                                                                                    • Opcode ID: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
                                                                                                                                    • Instruction ID: 4b210d59022fde833576912f2e87238d6fd1d6b03e73e285368f71a5ac649bda
                                                                                                                                    • Opcode Fuzzy Hash: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
                                                                                                                                    • Instruction Fuzzy Hash: 73411171E00609ABEF10DF95C981BAFB7F4AF88714F11055AE915B3341DB78AE448BA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A7DA, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                    • wcslen.MSVCRT ref: 0040A819
                                                                                                                                    • memset.MSVCRT ref: 0040A898
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoadmemsetwcslen
                                                                                                                                    • String ID: P5@
                                                                                                                                    • API String ID: 1960736289-1192260740
                                                                                                                                    • Opcode ID: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
                                                                                                                                    • Instruction ID: 9cce22c2db06112b06b017d7de527652cc15472bfd2168745658b7e1f8ccbd38
                                                                                                                                    • Opcode Fuzzy Hash: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
                                                                                                                                    • Instruction Fuzzy Hash: CC31D272500208AFDF10EFA4CC85DEE77B9AF48304F15887AF505F7281D638AE198B66
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416F08, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00416E8B: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
                                                                                                                                      • Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EBD
                                                                                                                                      • Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EC3
                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00416F38
                                                                                                                                    • GetLastError.KERNEL32 ref: 00416F42
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$File$PointerRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 839530781-0
                                                                                                                                    • Opcode ID: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
                                                                                                                                    • Instruction ID: add61fd64035c303a46c69afbbac6c0b4560a134b5de48ff3df98cfac7bf87f9
                                                                                                                                    • Opcode Fuzzy Hash: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
                                                                                                                                    • Instruction Fuzzy Hash: 2D01AD3A208208BBEB108F65EC45FEA3B6CEF053A4F114426F908C6250D724EC9186E9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A37F, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$FileFindFirst
                                                                                                                                    • String ID: *.*$index.dat
                                                                                                                                    • API String ID: 1858513025-2863569691
                                                                                                                                    • Opcode ID: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
                                                                                                                                    • Instruction ID: 18b6580ac0a830e75170eb0e1623f763ef95ee80692c464e75bb199377268105
                                                                                                                                    • Opcode Fuzzy Hash: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
                                                                                                                                    • Instruction Fuzzy Hash: 20016D7140526859EB20EA61DC42ADE726CAF04304F5001BBA818F21C2EB789F929F5A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416E8B, Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
                                                                                                                                    • GetLastError.KERNEL32 ref: 00416EBD
                                                                                                                                    • GetLastError.KERNEL32 ref: 00416EC3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1156039329-0
                                                                                                                                    • Opcode ID: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
                                                                                                                                    • Instruction ID: 37b1e2f091545ca96408f8d6a34600ec4a403a46a608ba1f9fdc83bbdb8077e2
                                                                                                                                    • Opcode Fuzzy Hash: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
                                                                                                                                    • Instruction Fuzzy Hash: F4F06536914619BBCF009F74DC009EA7BE8EB05361B104726F832D62D1E731EE419A94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004080FD, Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1125800050-0
                                                                                                                                    • Opcode ID: cd2f3735bba2878a79e9f19a3eb817c818f21bd1f1f6eaeb7cc68637a741f96c
                                                                                                                                    • Instruction ID: a19870345f686364ec187dd7d23bdf0954ef371c81d74b5a6631b0975d4c9c24
                                                                                                                                    • Opcode Fuzzy Hash: cd2f3735bba2878a79e9f19a3eb817c818f21bd1f1f6eaeb7cc68637a741f96c
                                                                                                                                    • Instruction Fuzzy Hash: BDE0927A900328BBDF205B60DC0CFCB377CEF46304F000070B945E6152EA7896888BA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004080AC, Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • malloc.MSVCRT ref: 004080C8
                                                                                                                                    • memcpy.MSVCRT ref: 004080E0
                                                                                                                                    • free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3056473165-0
                                                                                                                                    • Opcode ID: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
                                                                                                                                    • Instruction ID: 78eaf63d8c2f3f9895426ca65e1500e544e2a4a90d5a49d0f549448db46f5a47
                                                                                                                                    • Opcode Fuzzy Hash: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
                                                                                                                                    • Instruction Fuzzy Hash: 50F0E2726052229FD718EE75BA8180BB39DAF85364712883FF444E3282DF3C9C44C7A8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040897D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileRead
                                                                                                                                    • String ID: CCD
                                                                                                                                    • API String ID: 2738559852-662205380
                                                                                                                                    • Opcode ID: 95fe6112964d8fece6e22643851d15c8512762a174cc85b994d828cd4959b37f
                                                                                                                                    • Instruction ID: 69216e87a8676b039392231de9c3b52b74dec2ebcb54b9129181f8e0c6c75afe
                                                                                                                                    • Opcode Fuzzy Hash: 95fe6112964d8fece6e22643851d15c8512762a174cc85b994d828cd4959b37f
                                                                                                                                    • Instruction Fuzzy Hash: 6CD0C93541020DFBDF01CF80DC06FDD7BBDEB05359F108054BA0095160C7759A10AB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00436ADD, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: d
                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                    • Opcode ID: 581700d0edc2a8117bb5fbd40871278af0e05eb09add98efced60719e19a31a8
                                                                                                                                    • Instruction ID: fc4515617b89e60a19d50c15f4f69ae244da8edec6c232cce581781c6edd6396
                                                                                                                                    • Opcode Fuzzy Hash: 581700d0edc2a8117bb5fbd40871278af0e05eb09add98efced60719e19a31a8
                                                                                                                                    • Instruction Fuzzy Hash: 5981B031608312AFCB10DF19D84165FBBE0EF88718F12992FF8949B251D778DA45CB9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041E7EE, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset
                                                                                                                                    • String ID: BINARY
                                                                                                                                    • API String ID: 2221118986-907554435
                                                                                                                                    • Opcode ID: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
                                                                                                                                    • Instruction ID: 80603cce4df8086f4253f53369ac634731a2704b4a2dc635bb3c7b15e71801b6
                                                                                                                                    • Opcode Fuzzy Hash: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
                                                                                                                                    • Instruction Fuzzy Hash: B951AD75A043459FDB21DF2AC881BEA7BE4EF48350F14446AEC89CB341D738D980CBA9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040DD37, Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
                                                                                                                                      • Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB
                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DD6C
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DE90
                                                                                                                                      • Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                      • Part of subcall function 00407DF4: GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
                                                                                                                                      • Part of subcall function 00407DF4: _snwprintf.MSVCRT ref: 00407E35
                                                                                                                                      • Part of subcall function 00407DF4: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1161345128-0
                                                                                                                                    • Opcode ID: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
                                                                                                                                    • Instruction ID: 75199abba107ca30350ead5857dca6b94cadfdfaeaa302ec2f3d27d1e62cce92
                                                                                                                                    • Opcode Fuzzy Hash: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
                                                                                                                                    • Instruction Fuzzy Hash: BD417F35E00604EBCB219FA9C885A5EB7B6AF54714F20406FF446AB2D1CB389E44DA99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FE76, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                    • String ID: /stext
                                                                                                                                    • API String ID: 2081463915-3817206916
                                                                                                                                    • Opcode ID: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
                                                                                                                                    • Instruction ID: 2161babe09ea1c109a016804ff5c091d56ac672142073ac0305c405afa28cd18
                                                                                                                                    • Opcode Fuzzy Hash: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
                                                                                                                                    • Instruction Fuzzy Hash: 37216074B00205AFD714EFAAC881A9DB7A9FF84304F1001BFA415A7782DB79AD148B95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414C1D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • failed to allocate %u bytes of memory, xrefs: 00414C46
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: malloc
                                                                                                                                    • String ID: failed to allocate %u bytes of memory
                                                                                                                                    • API String ID: 2803490479-1168259600
                                                                                                                                    • Opcode ID: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
                                                                                                                                    • Instruction ID: cc16955a0d14ca8776a7aa5b229d79c98c920de21d1adc6b7d8c4ece6c284845
                                                                                                                                    • Opcode Fuzzy Hash: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
                                                                                                                                    • Instruction Fuzzy Hash: 64E020B7F0361267C2004615DC0168777959FD132171B0637F95CD3680D63CD84587A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416ED2, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00416EEB
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,004536AC,0041753F,00000008,00000000,00000000,?,004176FC,?,00000000), ref: 00416EF4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1821831730-0
                                                                                                                                    • Opcode ID: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
                                                                                                                                    • Instruction ID: ddbdeb719d62bbcd0ae2c24f8bc232808eb7cee6ac061654c4d164212cdc0068
                                                                                                                                    • Opcode Fuzzy Hash: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
                                                                                                                                    • Instruction Fuzzy Hash: 35E0C23F11071A9FDB0097BCDC90AD773D8EF56338726433AF662C61A0CA65D8828654
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041B556, Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcmpmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1065087418-0
                                                                                                                                    • Opcode ID: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
                                                                                                                                    • Instruction ID: 1efd5175aaeb232b83b4fa12f0066e98a2b2c589ef3b7fe000d2c80dadf29316
                                                                                                                                    • Opcode Fuzzy Hash: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
                                                                                                                                    • Instruction Fuzzy Hash: AF617C71A01245EFDB10EFA485C06EEB7B4FB54308F14846FE11497281E738AED59B9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041857E, Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2221118986-0
                                                                                                                                    • Opcode ID: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
                                                                                                                                    • Instruction ID: 158bf94f573ecacca79ccaf447c09fb498ee4e42fef6769a8b2fd70c0d8b82a4
                                                                                                                                    • Opcode Fuzzy Hash: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
                                                                                                                                    • Instruction Fuzzy Hash: 0D417A72500602EFCB309F64D9848ABB7F6FB14314710492FE54AC7660EB38E9D5CB58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004109C4, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00410A52: memset.MSVCRT ref: 00410A9A
                                                                                                                                      • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB1
                                                                                                                                      • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB9
                                                                                                                                      • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B14
                                                                                                                                      • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B22
                                                                                                                                      • Part of subcall function 004086BA: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,00410A06,00000000,?,00000000,?,00000000), ref: 004086D2
                                                                                                                                      • Part of subcall function 004086BA: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004086E6
                                                                                                                                      • Part of subcall function 004086BA: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411ED6), ref: 004086EF
                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 00410A10
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$File$Time$CloseCompareCreateHandlememset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4204647287-0
                                                                                                                                    • Opcode ID: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
                                                                                                                                    • Instruction ID: e327927a43c347593f183825775ae13c5bf460ea87da421573a566f28fb83fb7
                                                                                                                                    • Opcode Fuzzy Hash: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
                                                                                                                                    • Instruction Fuzzy Hash: 7A117076C00218EBCF11EBA5DA419DEB7B9EF44300F10006BE441F3281EA749B84CB95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004057D2, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetFilePointerEx.KERNELBASE(004057A8,?,?,00000000,00000000,00000000,00405E25,00000000,00000000,?,00000000,004057A8), ref: 004057EE
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$PointerRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3154509469-0
                                                                                                                                    • Opcode ID: 64c5ed2aa36d8d537b285b5c1e7aa840f4d64fa0910f6d092a5b593a7cfce923
                                                                                                                                    • Instruction ID: 10cf5b1db118189887eacc4ff35e91e25d6bd08443c232d43c4ae27a9a01ea3e
                                                                                                                                    • Opcode Fuzzy Hash: 64c5ed2aa36d8d537b285b5c1e7aa840f4d64fa0910f6d092a5b593a7cfce923
                                                                                                                                    • Instruction Fuzzy Hash: FBE0C776100100FFE620AF08CC06F2BBBF8EFC4B00F10882EB2C49A0B5C6326812CB25
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413E1E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetPrivateProfileIntW.KERNEL32 ref: 00413E45
                                                                                                                                      • Part of subcall function 00413CAE: memset.MSVCRT ref: 00413CCD
                                                                                                                                      • Part of subcall function 00413CAE: _itow.MSVCRT ref: 00413CE4
                                                                                                                                      • Part of subcall function 00413CAE: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00413CF3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4232544981-0
                                                                                                                                    • Opcode ID: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
                                                                                                                                    • Instruction ID: 5d66eace87880ca3e294b7f0e570a8e3be22b6ae62b10c3d44e19be24f2def2d
                                                                                                                                    • Opcode Fuzzy Hash: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
                                                                                                                                    • Instruction Fuzzy Hash: 89E0B632000249ABDF126F91EC01AAA7F66FF14315F148459FD6C14121D33295B0AF84
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00444425, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,00411BC7,?,?,00403557,?), ref: 00444436
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                    • Opcode ID: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
                                                                                                                                    • Instruction ID: 39ddfc5443798b4b2f471bdaff8db486b4a9363c7739a8bb917076c50ef601e7
                                                                                                                                    • Opcode Fuzzy Hash: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
                                                                                                                                    • Instruction Fuzzy Hash: 92E0F6B5900B008F97308F2BE944506FBF8BEE46103108A1F91AAC2A21C3B4A5498F94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004135FF, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00413627: LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676
                                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004134F7,00000104,004134F7,00000000,?), ref: 0041361E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$FileLibraryLoadModuleName
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3821362017-0
                                                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                    • Instruction ID: 7bbd5afd8370dadb00360ee8d7667c1b04e34d2617d736b2e99a938255987c13
                                                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                    • Instruction Fuzzy Hash: 7CD022312043007BD231EE708C00FCBB3E8BF44711F028C1AB190E2280C3B8C9409308
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413401, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FreeLibrary.KERNELBASE(00000000,00406DBF,?,00000000,?,?,?,?,?,00000000,?), ref: 00413408
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                    • Opcode ID: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
                                                                                                                                    • Instruction ID: 53121aa1ed69e67302caa1b874726051d72530908054280e128cb363a29a4499
                                                                                                                                    • Opcode Fuzzy Hash: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
                                                                                                                                    • Instruction Fuzzy Hash: 51D0C9324005229BDB00AF26EC45B857368EF00351B150025E800BB492D738BEA28ADC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040899C, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0040DDA6,00000000,0044AF64,00000002,?,0040FF40,00000000,00000000,?), ref: 004089B3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                    • Opcode ID: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
                                                                                                                                    • Instruction ID: 44b36b217b32540387e14a2368d622af177610148a3238ec1afc6282a592e5c5
                                                                                                                                    • Opcode Fuzzy Hash: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
                                                                                                                                    • Instruction Fuzzy Hash: 64D0C93551020DFFDF01CF80DD06FDE7B7DEB04359F104054BA0495060C7B59A10AB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407D7B, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFile
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                    • Opcode ID: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
                                                                                                                                    • Instruction ID: 729bcb02508df23f9412a42fb8e8b3188fed1bd1f0cd2b7b0f8edc4fa6246a8f
                                                                                                                                    • Opcode Fuzzy Hash: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
                                                                                                                                    • Instruction Fuzzy Hash: E3C092B4240201BEFF228B10ED15F36295CD740700F2044247E00E80E0D1A04E108924
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407D94, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFile
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                    • Opcode ID: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
                                                                                                                                    • Instruction ID: edb615435fe3ce855b8554d9524e6f242ae4b45eb81851bd3d2393cb7dc29c83
                                                                                                                                    • Opcode Fuzzy Hash: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
                                                                                                                                    • Instruction Fuzzy Hash: 67C012F43503017FFF208B10AD0AF37395DD780700F1084207F00E80E1D2E14C008924
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409552, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??3@
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                    • Opcode ID: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
                                                                                                                                    • Instruction ID: 664dc763c5da3aaab367392b47211da9bee634dc4adcd4213ebe75a48c3d30fa
                                                                                                                                    • Opcode Fuzzy Hash: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
                                                                                                                                    • Instruction Fuzzy Hash: 6EC09BB29127015BF7309F66C40471373D85F50767F314C5DA4D1964C1DB7CD5408514
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414266, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,004141E0,00000000), ref: 00414275
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                    • Opcode ID: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
                                                                                                                                    • Instruction ID: 894f21907dab3ca3b917dc931ff3d8bd940b81db11264512214ff9c0d0df685d
                                                                                                                                    • Opcode Fuzzy Hash: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
                                                                                                                                    • Instruction Fuzzy Hash: 23C09B35654341A7C7029F109C0DF1E7EA5BB95705F504C29B151940A0C75251549609
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409428, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindClose.KERNELBASE(?,0040933E,?,00000000,?,004127ED,*.*,?), ref: 00409432
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseFind
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                    • Opcode ID: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
                                                                                                                                    • Instruction ID: 3bd61d94ea2d0ebbf22c21a92135ad1df5e9ea430364887b997a0a3dbe6c7a02
                                                                                                                                    • Opcode Fuzzy Hash: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
                                                                                                                                    • Instruction Fuzzy Hash: 3EC048345109018BD6289F38986A52A77A0AA5A3303A44F6CA0F2920E2E73888428A04
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413ACB, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                    • Opcode ID: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
                                                                                                                                    • Instruction ID: 95e4874612f61a4c2f5820174f699a9a2e50adc9900ffd5901b80c85968e45e3
                                                                                                                                    • Opcode Fuzzy Hash: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
                                                                                                                                    • Instruction Fuzzy Hash: 7BC04C35510B118BEF218B12C989793B3E4AF00757F40C818949685851D77CE454CE18
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408250, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AttributesFile
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                    • Opcode ID: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
                                                                                                                                    • Instruction ID: 7aa4b53cbdd50d27f0544b0d73f3b09e9b9e978b4a3a64aa4ec168f40bbc8e5c
                                                                                                                                    • Opcode Fuzzy Hash: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
                                                                                                                                    • Instruction Fuzzy Hash: 89B012B92104005BCF0807349C4904D36505F456317300B3CB033C01F0D730CCA0BA00
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413E4F, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Open
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                    • Opcode ID: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
                                                                                                                                    • Instruction ID: 06f107d5783c69a41ddb44c60f44fa238db6365feab173ebf779541cd7ebc08f
                                                                                                                                    • Opcode Fuzzy Hash: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
                                                                                                                                    • Instruction Fuzzy Hash: E1C09B39544301BFDF114F40FE05F09BB61AB84F05F004414B344240B282714414EB57
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041B76D, Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
                                                                                                                                    • Instruction ID: fa567e0f167378dcabf243c4c44df542d601d1aca3ea04bf4c0b19c361688719
                                                                                                                                    • Opcode Fuzzy Hash: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
                                                                                                                                    • Instruction Fuzzy Hash: 1A317C31901216EFDF14AF25D9817DA73A4FF00B55F14412BF825AB280DB38EDA08BD9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405DEB, Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                      • Part of subcall function 004057D2: SetFilePointerEx.KERNELBASE(004057A8,?,?,00000000,00000000,00000000,00405E25,00000000,00000000,?,00000000,004057A8), ref: 004057EE
                                                                                                                                    • memcpy.MSVCRT ref: 00405E6E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@FilePointermemcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 609303285-0
                                                                                                                                    • Opcode ID: 69c5ce9f8364cb3a2f3d9952414f58f868eb9a31ba510d0c6d062cd66918fe31
                                                                                                                                    • Instruction ID: b6d0ac0748dce8c6543b82d29fb895a5afc24863716f8b43ab814fbacadff293
                                                                                                                                    • Opcode Fuzzy Hash: 69c5ce9f8364cb3a2f3d9952414f58f868eb9a31ba510d0c6d062cd66918fe31
                                                                                                                                    • Instruction Fuzzy Hash: 2F11B272500908BBD711A755C844F9F77ACEF84318F15807BF94573182C738AE068BE9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004060BC, Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2081463915-0
                                                                                                                                    • Opcode ID: 5d18b3e2f7875cbfa1b7883ec22a938669b6fc3c83f0355837b3f79f1fd7a5de
                                                                                                                                    • Instruction ID: 08e2259bb844cdb7583518af71a3b249da553f2a004d57c4b783ea4beab812a3
                                                                                                                                    • Opcode Fuzzy Hash: 5d18b3e2f7875cbfa1b7883ec22a938669b6fc3c83f0355837b3f79f1fd7a5de
                                                                                                                                    • Instruction Fuzzy Hash: 3B118871600605AFDB10DF65C8C199AB7F8FF04314F11853EE416E7281EB34F9158B68
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405740, Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004057C0: CloseHandle.KERNEL32(000000FF,00405750,00000000,?,00409A41,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409F26,?,0040A0FE,000000FF), ref: 004057C8
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00409A41,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409F26,?,0040A0FE,000000FF,00000000,00000104), ref: 004057AD
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2136311172-0
                                                                                                                                    • Opcode ID: 81d98ab7555efe12e5c8b48e24a2d6677c0216f0edfc1775a14d27b6400d9af5
                                                                                                                                    • Instruction ID: 00704370d8ec878584a64fe5f9f18aab24b7d249e6cd1ef38c395e5c556ec921
                                                                                                                                    • Opcode Fuzzy Hash: 81d98ab7555efe12e5c8b48e24a2d6677c0216f0edfc1775a14d27b6400d9af5
                                                                                                                                    • Instruction Fuzzy Hash: 190181B5415A00DFE7205B30C905BA776E8EF51315F10893FE595E72C1EB7C9480DAAE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409539, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@??3@
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1936579350-0
                                                                                                                                    • Opcode ID: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
                                                                                                                                    • Instruction ID: 8918756149df837d9eea435be632a3e0a17df07a668273fb2c59ff5331204d46
                                                                                                                                    • Opcode Fuzzy Hash: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
                                                                                                                                    • Instruction Fuzzy Hash: 2BC08C724182100AD650FF79280205622D49E82320301882FE091E3142D53848014344
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B1BF, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                    • Opcode ID: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
                                                                                                                                    • Instruction ID: def78aeb235da03500d5bf48ca01037dd20a397eb60980b6de46ef9d9da7be76
                                                                                                                                    • Opcode Fuzzy Hash: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
                                                                                                                                    • Instruction Fuzzy Hash: ACC01272420B018FF7209E11C406722B3E4EF0077BF618C0D909481482C77CD4408A48
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408F1E, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                    • Opcode ID: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
                                                                                                                                    • Instruction ID: eebb639015016b4d35185c1cf15d7584ef51e0a9315dec3cbabf5363aa789e86
                                                                                                                                    • Opcode Fuzzy Hash: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
                                                                                                                                    • Instruction Fuzzy Hash: C5C0127A4107028BF7308F21C509322B2E5AF0072BF708C0D90D081482CB7CD0808A08
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414C5E, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                    • Opcode ID: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
                                                                                                                                    • Instruction ID: c34dd2395d73de7fd8324248a47ac8fcc6ed20e97332430ae650d69d176587ff
                                                                                                                                    • Opcode Fuzzy Hash: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
                                                                                                                                    • Instruction Fuzzy Hash: C8900286455511116C0425756C0760911480892176335074A7032959D1CE1C8150601C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 00443A61, Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00443A8C
                                                                                                                                    • wcscpy.MSVCRT ref: 00443AA3
                                                                                                                                    • memset.MSVCRT ref: 00443AD6
                                                                                                                                    • wcscpy.MSVCRT ref: 00443AEC
                                                                                                                                    • wcscat.MSVCRT ref: 00443AFD
                                                                                                                                    • wcscpy.MSVCRT ref: 00443B23
                                                                                                                                    • wcscat.MSVCRT ref: 00443B34
                                                                                                                                    • wcscpy.MSVCRT ref: 00443B5B
                                                                                                                                    • wcscat.MSVCRT ref: 00443B6C
                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
                                                                                                                                    • LoadLibraryW.KERNEL32(sqlite3.dll,?,00000000,00000000), ref: 00443BA5
                                                                                                                                    • LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000000,00000000), ref: 00443BB3
                                                                                                                                    • LoadLibraryW.KERNEL32(nss3.dll,?,00000000,00000000), ref: 00443BC3
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00443BF8
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00443C05
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00443C12
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00443C1F
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00443C2C
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00443C39
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00443C46
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
                                                                                                                                    • String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                                                                    • API String ID: 2522319644-522817110
                                                                                                                                    • Opcode ID: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
                                                                                                                                    • Instruction ID: 5ad66febf3ba3de4182efca1dfca8304e8a02b444a88a93b5109a45c6fbe2280
                                                                                                                                    • Opcode Fuzzy Hash: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
                                                                                                                                    • Instruction Fuzzy Hash: 0E5153B1940719AAEB20FFA28D49F47B6E8AF58B04F1109ABE549D2141E77CE644CF18
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00418137, Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4218492932-0
                                                                                                                                    • Opcode ID: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
                                                                                                                                    • Instruction ID: d236c1b17a1aae76216467299f6e18822a0d202c31a727bef5ceca0d2f67f94c
                                                                                                                                    • Opcode Fuzzy Hash: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
                                                                                                                                    • Instruction Fuzzy Hash: B31184B3D005186BDB00EFA4DC49EDAB7ACEB5A210F454937FA15DB141E638E6448798
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417BE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417BF2
                                                                                                                                      • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C19
                                                                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C42
                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00417C5D
                                                                                                                                    • free.MSVCRT(?,0044C838,?), ref: 00417C8B
                                                                                                                                      • Part of subcall function 00416D4F: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74785970,?,00416E7A,?), ref: 00416D6D
                                                                                                                                      • Part of subcall function 00416D4F: malloc.MSVCRT ref: 00416D74
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                    • String ID: OsError 0x%x (%u)
                                                                                                                                    • API String ID: 2360000266-2664311388
                                                                                                                                    • Opcode ID: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
                                                                                                                                    • Instruction ID: 86e7f975cda22aef79341c94f36a987d619a37d11feed098ff88b3a8796ba2f5
                                                                                                                                    • Opcode Fuzzy Hash: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
                                                                                                                                    • Instruction Fuzzy Hash: BA11B234E01228BBDB11ABA2DD8DCDF7F78EF85750B20005BF40592211E7784A80DBE8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408CAC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00408CC4
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408CE3
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00408D03
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                                                    • String ID: .$1k@$nss3.dll
                                                                                                                                    • API String ID: 3541575487-3908353483
                                                                                                                                    • Opcode ID: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
                                                                                                                                    • Instruction ID: f3d79de5d6fec64b9baa04ebfd9a669330ca9081903d010b6bc69252f5057639
                                                                                                                                    • Opcode Fuzzy Hash: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
                                                                                                                                    • Instruction Fuzzy Hash: 6CF0BB759005246BDF205B64EC4C6ABB7BCFF45365F000176ED06A71C1D7749D458A98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040F078, Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                      • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                      • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                    • OpenClipboard.USER32(?), ref: 0040F0B6
                                                                                                                                    • GetLastError.KERNEL32 ref: 0040F0CB
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F0EA
                                                                                                                                      • Part of subcall function 00407F9A: EmptyClipboard.USER32 ref: 00407FA4
                                                                                                                                      • Part of subcall function 00407F9A: GetFileSize.KERNEL32(00000000,00000000), ref: 00407FC1
                                                                                                                                      • Part of subcall function 00407F9A: GlobalAlloc.KERNEL32(00002000,00000002), ref: 00407FD2
                                                                                                                                      • Part of subcall function 00407F9A: GlobalLock.KERNEL32 ref: 00407FDF
                                                                                                                                      • Part of subcall function 00407F9A: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407FF2
                                                                                                                                      • Part of subcall function 00407F9A: GlobalUnlock.KERNEL32(00000000), ref: 00408004
                                                                                                                                      • Part of subcall function 00407F9A: SetClipboardData.USER32 ref: 0040800D
                                                                                                                                      • Part of subcall function 00407F9A: CloseHandle.KERNEL32(?), ref: 00408021
                                                                                                                                      • Part of subcall function 00407F9A: CloseClipboard.USER32 ref: 00408035
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2633007058-0
                                                                                                                                    • Opcode ID: dbdd240ec4c17506c233b057a251f0f9826ab019b5c58cf36240f842d410ce54
                                                                                                                                    • Instruction ID: d4411bd4de1fade650879fa69a29e8aba7a0aa0f0e0d1894cd1391532f6ebd18
                                                                                                                                    • Opcode Fuzzy Hash: dbdd240ec4c17506c233b057a251f0f9826ab019b5c58cf36240f842d410ce54
                                                                                                                                    • Instruction Fuzzy Hash: 4CF0A4357003006BEA3027359C0EF9B375DDB80714F00453AF852A65D3EE79E8898568
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004083A1, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Version
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1889659487-0
                                                                                                                                    • Opcode ID: f32d612d38ed498016a89dab6c267832ac7a7cfec2e4bb44aaae2ab0a1dc17ad
                                                                                                                                    • Instruction ID: e5ecc73df534455334d47becca92420b288d3786a246e23e5c2a841cda36e69b
                                                                                                                                    • Opcode Fuzzy Hash: f32d612d38ed498016a89dab6c267832ac7a7cfec2e4bb44aaae2ab0a1dc17ad
                                                                                                                                    • Instruction Fuzzy Hash: 17C08C329112208BDB11AB08FE0A7CD72989B0B727F014077E802A2252C7F848048BBC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00402316, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040233E
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040236E
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040239B
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004023C8
                                                                                                                                      • Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
                                                                                                                                      • Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75
                                                                                                                                    • memset.MSVCRT ref: 0040276C
                                                                                                                                    • memcpy.MSVCRT ref: 004027A1
                                                                                                                                      • Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                      • Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                      • Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                    • memcpy.MSVCRT ref: 004027FD
                                                                                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040285B
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040286A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
                                                                                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                    • API String ID: 462158748-1134094380
                                                                                                                                    • Opcode ID: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
                                                                                                                                    • Instruction ID: 2d0d0591d6411435ed5b4a397348faa82e1f821ad6e98c1f3977ba2ad668a768
                                                                                                                                    • Opcode Fuzzy Hash: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
                                                                                                                                    • Instruction Fuzzy Hash: FBF1F2218087E9C9DB32C7788C097DEBE655B23324F0443D9D1E87A2D2D7B94B85CB66
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040AA82, Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                    • String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
                                                                                                                                    • API String ID: 2787044678-1843504584
                                                                                                                                    • Opcode ID: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
                                                                                                                                    • Instruction ID: f322a3b8e7f5a6d162087a7bfffa82d5495360e728e73a59fe9151b9b78652c6
                                                                                                                                    • Opcode Fuzzy Hash: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
                                                                                                                                    • Instruction Fuzzy Hash: 8191B271500219ABEF20DF55CC45FEF776DAF91314F01046AF948A7181EA3CEDA48B69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004136DC, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 00413709
                                                                                                                                    • GetDlgItem.USER32 ref: 00413715
                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00413724
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00413730
                                                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 00413739
                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00413745
                                                                                                                                    • GetWindowRect.USER32 ref: 00413757
                                                                                                                                    • GetWindowRect.USER32 ref: 00413762
                                                                                                                                    • MapWindowPoints.USER32 ref: 00413776
                                                                                                                                    • MapWindowPoints.USER32 ref: 00413784
                                                                                                                                    • GetDC.USER32 ref: 004137BD
                                                                                                                                    • wcslen.MSVCRT ref: 004137FD
                                                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0041380E
                                                                                                                                    • ReleaseDC.USER32 ref: 0041385B
                                                                                                                                    • _snwprintf.MSVCRT ref: 0041391E
                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00413932
                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00413950
                                                                                                                                    • GetDlgItem.USER32 ref: 00413986
                                                                                                                                    • GetWindowRect.USER32 ref: 00413996
                                                                                                                                    • MapWindowPoints.USER32 ref: 004139A4
                                                                                                                                    • GetClientRect.USER32 ref: 004139BB
                                                                                                                                    • GetWindowRect.USER32 ref: 004139C5
                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00413A0B
                                                                                                                                    • GetClientRect.USER32 ref: 00413A15
                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00413A4D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                    • API String ID: 2080319088-3046471546
                                                                                                                                    • Opcode ID: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
                                                                                                                                    • Instruction ID: eaed71e83b935c0691042ece96cd3f4181ba93c5b62309cd5e6c1ba419c0f7d3
                                                                                                                                    • Opcode Fuzzy Hash: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
                                                                                                                                    • Instruction Fuzzy Hash: 8AB1CE71108701AFDB21DFA8C985A6BBBF9FB88704F004A2EF59582261DB75E904CF56
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040109F, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                    • String ID: WebBrowserPassView
                                                                                                                                    • API String ID: 829165378-2171583229
                                                                                                                                    • Opcode ID: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
                                                                                                                                    • Instruction ID: da1635bf63897f0d85a147e608c4a0468d220b7f7222c61bbc2b07ca64c81474
                                                                                                                                    • Opcode Fuzzy Hash: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
                                                                                                                                    • Instruction Fuzzy Hash: 4751BF34500B08EBDF22AF60CC45E6E7BB5FB04341F104A3AF952A65F1C7B9A950EB18
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040716C, Relevance: 42.2, APIs: 11, Strings: 13, Instructions: 221COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040AE5E: GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
                                                                                                                                      • Part of subcall function 0040AE5E: CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC
                                                                                                                                      • Part of subcall function 0040AF0C: _wcsicmp.MSVCRT ref: 0040AF46
                                                                                                                                    • memset.MSVCRT ref: 004071FD
                                                                                                                                    • memset.MSVCRT ref: 00407212
                                                                                                                                    • _wtoi.MSVCRT ref: 00407306
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040731A
                                                                                                                                    • memset.MSVCRT ref: 0040733B
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?), ref: 0040736F
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00407386
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040739D
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073B4
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073CB
                                                                                                                                      • Part of subcall function 00407150: _wtoi64.MSVCRT ref: 00407154
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073E2
                                                                                                                                      • Part of subcall function 00406FCE: memset.MSVCRT ref: 00406FF4
                                                                                                                                      • Part of subcall function 00406FCE: memset.MSVCRT ref: 00407008
                                                                                                                                      • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
                                                                                                                                      • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
                                                                                                                                      • Part of subcall function 00406FCE: strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
                                                                                                                                      • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
                                                                                                                                      • Part of subcall function 00406FCE: wcscpy.MSVCRT ref: 0040709D
                                                                                                                                      • Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
                                                                                                                                      • Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$memset$strcpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                    • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$logins$null$passwordField$timeCreated$timeLastUsed$timePasswordChanged$timesUsed$usernameField${@
                                                                                                                                    • API String ID: 249851626-1964116028
                                                                                                                                    • Opcode ID: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
                                                                                                                                    • Instruction ID: c3ecdf3b596e70815539cea729ffc079dd9e4b065ea23c8e33f814b0aa12875c
                                                                                                                                    • Opcode Fuzzy Hash: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
                                                                                                                                    • Instruction Fuzzy Hash: 48717FB1D40219AEEF10EBA2DC82DEEB778EF40318F1041BBB514B61D1DA785E548F69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004113C8, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0041166F
                                                                                                                                    • {Unknown}, xrefs: 00411492
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                                                    • Opcode ID: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
                                                                                                                                    • Instruction ID: 77b13c0c11c75301577e42814f96b51b4b1d428f570956a2458bc96a91f7f52b
                                                                                                                                    • Opcode Fuzzy Hash: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
                                                                                                                                    • Instruction Fuzzy Hash: A17193B280021CBFEF219B51DD45EDA376DEB49355F04407BF608A2162EB79DE848F68
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00411760, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00411781
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
                                                                                                                                    • memset.MSVCRT ref: 004117F1
                                                                                                                                    • wcslen.MSVCRT ref: 004117FE
                                                                                                                                    • wcslen.MSVCRT ref: 0041180D
                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
                                                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
                                                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 004118CC
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 004118D8
                                                                                                                                      • Part of subcall function 00406B51: memset.MSVCRT ref: 00406B72
                                                                                                                                      • Part of subcall function 00406B51: memset.MSVCRT ref: 00406BBF
                                                                                                                                      • Part of subcall function 00406B51: RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
                                                                                                                                      • Part of subcall function 00406B51: wcscpy.MSVCRT ref: 00406D07
                                                                                                                                      • Part of subcall function 00406B51: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
                                                                                                                                      • Part of subcall function 00406B51: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
                                                                                                                                    • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                    • API String ID: 2554026968-4029219660
                                                                                                                                    • Opcode ID: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
                                                                                                                                    • Instruction ID: 97ddbdf8ae905254a000a89cdfb80c97087349b9056a3f7eb9cac2f120fabdad
                                                                                                                                    • Opcode Fuzzy Hash: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
                                                                                                                                    • Instruction Fuzzy Hash: D2419271940308ABDB20AF61CC85E9AB7F8FF58344F10486FE295D3151EBB8D9848B5C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407991, Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 259COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00411760: memset.MSVCRT ref: 00411781
                                                                                                                                      • Part of subcall function 00411760: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
                                                                                                                                      • Part of subcall function 00411760: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
                                                                                                                                      • Part of subcall function 00411760: memset.MSVCRT ref: 004117F1
                                                                                                                                      • Part of subcall function 00411760: wcslen.MSVCRT ref: 004117FE
                                                                                                                                      • Part of subcall function 00411760: wcslen.MSVCRT ref: 0041180D
                                                                                                                                      • Part of subcall function 00411760: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
                                                                                                                                      • Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
                                                                                                                                      • Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
                                                                                                                                    • memset.MSVCRT ref: 004079D1
                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
                                                                                                                                    • memset.MSVCRT ref: 00407A23
                                                                                                                                    • memset.MSVCRT ref: 00407A3B
                                                                                                                                    • memset.MSVCRT ref: 00407A53
                                                                                                                                    • memset.MSVCRT ref: 00407A6B
                                                                                                                                    • memset.MSVCRT ref: 00407A83
                                                                                                                                    • wcslen.MSVCRT ref: 00407A8E
                                                                                                                                    • wcslen.MSVCRT ref: 00407A9C
                                                                                                                                    • wcslen.MSVCRT ref: 00407ACB
                                                                                                                                    • wcslen.MSVCRT ref: 00407AD9
                                                                                                                                    • wcslen.MSVCRT ref: 00407B08
                                                                                                                                    • wcslen.MSVCRT ref: 00407B16
                                                                                                                                    • wcslen.MSVCRT ref: 00407B45
                                                                                                                                    • wcslen.MSVCRT ref: 00407B53
                                                                                                                                    • wcslen.MSVCRT ref: 00407B82
                                                                                                                                    • wcslen.MSVCRT ref: 00407B90
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                      • Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                      • Part of subcall function 0040744D: memset.MSVCRT ref: 0040748C
                                                                                                                                      • Part of subcall function 0040744D: memset.MSVCRT ref: 0040750B
                                                                                                                                      • Part of subcall function 0040744D: memset.MSVCRT ref: 00407520
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memset$AddressProc$CurrentDirectory$LibraryLoad$AttributesByteCharFileHandleModuleMultiWidewcscatwcscpy
                                                                                                                                    • String ID: logins.json$signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                                                                                                                    • API String ID: 3287676187-2852686199
                                                                                                                                    • Opcode ID: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
                                                                                                                                    • Instruction ID: 7d0a504a01980ca961e130c4bf0e7e2836c0561e9ae5ad9b50c10663cf81d5b6
                                                                                                                                    • Opcode Fuzzy Hash: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
                                                                                                                                    • Instruction Fuzzy Hash: 1F91947180811DABEF11EF51DC41A9E77B8FF44319F1004ABF908E2191EB79AA548B9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00411158, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
                                                                                                                                    • String ID: General$IsRelative$Path$Profile%d$profiles.ini
                                                                                                                                    • API String ID: 3014334669-2600475665
                                                                                                                                    • Opcode ID: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
                                                                                                                                    • Instruction ID: c42e31a804922eed0ec5ba890dd8b4603cdc71837868ac6ae30ebb97505d8267
                                                                                                                                    • Opcode Fuzzy Hash: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
                                                                                                                                    • Instruction Fuzzy Hash: 7D51557290122CAAEB20EB55CD45FDEB7BCAF55344F1040E7B508A2151EF789B848F99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040EB6D, Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 274windowregistryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B5D4: LoadMenuW.USER32 ref: 0040B5DC
                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 0040EC7A
                                                                                                                                    • CreateStatusWindowW.COMCTL32(50000000,Function_0004552C,?,00000101), ref: 0040EC95
                                                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040ECAD
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040ECBC
                                                                                                                                    • LoadImageW.USER32 ref: 0040ECC9
                                                                                                                                    • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040ECF3
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040ED00
                                                                                                                                    • CreateWindowExW.USER32 ref: 0040ED27
                                                                                                                                    • memcpy.MSVCRT ref: 0040EDEF
                                                                                                                                    • ShowWindow.USER32(?,?), ref: 0040EE25
                                                                                                                                    • GetFileAttributesW.KERNEL32(00453928), ref: 0040EE56
                                                                                                                                    • GetTempPathW.KERNEL32(00000104,00453928), ref: 0040EE66
                                                                                                                                    • wcslen.MSVCRT ref: 0040EE6D
                                                                                                                                    • wcslen.MSVCRT ref: 0040EE7B
                                                                                                                                    • RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 0040EEC8
                                                                                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 0040EF02
                                                                                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040EF15
                                                                                                                                      • Part of subcall function 00403D7A: wcslen.MSVCRT ref: 00403D97
                                                                                                                                      • Part of subcall function 00403D7A: SendMessageW.USER32(?,00001061,?,?), ref: 00403DBB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message$SendWindow$Createwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterShowStatusTempToolbarmemcpy
                                                                                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                    • API String ID: 1225797202-2103577948
                                                                                                                                    • Opcode ID: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
                                                                                                                                    • Instruction ID: 8c9b3575536fccf7ef0877cb0e8d9f23cb5666ec72f10922821c14b88f39767b
                                                                                                                                    • Opcode Fuzzy Hash: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
                                                                                                                                    • Instruction Fuzzy Hash: B5B1A271540388AFEF11DF64CC89BCA7FA5AF55304F0404BAFA48AF292C7B99544CB69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403768, Relevance: 36.1, APIs: 24, Instructions: 84windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0B9
                                                                                                                                      • Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0CE
                                                                                                                                      • Part of subcall function 0040E076: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
                                                                                                                                      • Part of subcall function 0040E076: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
                                                                                                                                      • Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
                                                                                                                                      • Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
                                                                                                                                      • Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
                                                                                                                                      • Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
                                                                                                                                      • Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
                                                                                                                                      • Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
                                                                                                                                      • Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E19F
                                                                                                                                      • Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
                                                                                                                                      • Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E1BC
                                                                                                                                      • Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
                                                                                                                                      • Part of subcall function 0040E076: GetSysColor.USER32(0000000F), ref: 0040E1D5
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040377A
                                                                                                                                    • LoadIconW.USER32(00000000,00000072), ref: 00403785
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403796
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040379A
                                                                                                                                    • LoadIconW.USER32(00000000,00000074), ref: 0040379F
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 004037AA
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037AE
                                                                                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004037B3
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 004037BE
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037C2
                                                                                                                                    • LoadIconW.USER32(00000000,00000075), ref: 004037C7
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 004037D2
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037D6
                                                                                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 004037DB
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 004037E6
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037EA
                                                                                                                                    • LoadIconW.USER32(00000000,00000076), ref: 004037EF
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 004037FA
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037FE
                                                                                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403803
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000006,00000000), ref: 0040380E
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403812
                                                                                                                                    • LoadIconW.USER32(00000000,00000070), ref: 00403817
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000007,00000000), ref: 00403822
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconImage$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 715923342-0
                                                                                                                                    • Opcode ID: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
                                                                                                                                    • Instruction ID: b7e10a9324f3d83bf9194ece928487740f847c1137f1a2c01f1b8e69b6e47de2
                                                                                                                                    • Opcode Fuzzy Hash: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
                                                                                                                                    • Instruction Fuzzy Hash: 1711F160B857087AFA3137B2DC4BF7B7A5EDF81B85F114414F35D990E0C9E6AC105928
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00443D20, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00443D51
                                                                                                                                    • GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
                                                                                                                                    • VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
                                                                                                                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
                                                                                                                                    • _snwprintf.MSVCRT ref: 00443DD1
                                                                                                                                    • wcscpy.MSVCRT ref: 00443DFB
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00443EAB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                    • API String ID: 1223191525-1542517562
                                                                                                                                    • Opcode ID: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
                                                                                                                                    • Instruction ID: f644ee0d2354bfc8442d092a800b66c1527b1609597f5fb91e8fdc391f94498a
                                                                                                                                    • Opcode Fuzzy Hash: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
                                                                                                                                    • Instruction Fuzzy Hash: 164133B2900218BAEB04EFA1DD82DDEB7BCAF48704F110517B515A3142DB78EA559BA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E076, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040E0B9
                                                                                                                                    • memset.MSVCRT ref: 0040E0CE
                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
                                                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E117
                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E122
                                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
                                                                                                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
                                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
                                                                                                                                    • LoadImageW.USER32 ref: 0040E19F
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
                                                                                                                                    • LoadImageW.USER32 ref: 0040E1BC
                                                                                                                                    • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0040E1D5
                                                                                                                                    • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040E1F0
                                                                                                                                    • ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040E200
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040E20C
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040E212
                                                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040E22F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 304928396-0
                                                                                                                                    • Opcode ID: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
                                                                                                                                    • Instruction ID: d1f198460081c9bd407666b3734bdbb6004887ae833e7bd4338906f330e243fe
                                                                                                                                    • Opcode Fuzzy Hash: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
                                                                                                                                    • Instruction Fuzzy Hash: F241E975640704BFEB20AF70DC4AF9777ADFB09705F000829F399A91D1CAF5A8508B29
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406B51, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 198registrytimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00406B72
                                                                                                                                      • Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                    • _wcsnicmp.MSVCRT ref: 00406BE5
                                                                                                                                    • memset.MSVCRT ref: 00406C09
                                                                                                                                    • memset.MSVCRT ref: 00406C25
                                                                                                                                    • _snwprintf.MSVCRT ref: 00406C45
                                                                                                                                    • wcsrchr.MSVCRT ref: 00406C6C
                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000), ref: 00406C9F
                                                                                                                                    • wcscpy.MSVCRT ref: 00406CC1
                                                                                                                                    • memset.MSVCRT ref: 00406BBF
                                                                                                                                      • Part of subcall function 00413EE6: RegEnumKeyExW.ADVAPI32(00000000,00411799,00411799,?,00000000,00000000,00000000,00411799,00411799,00000000), ref: 00413F09
                                                                                                                                    • RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
                                                                                                                                    • wcscpy.MSVCRT ref: 00406D07
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
                                                                                                                                    • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                                                                    • API String ID: 1094916163-2797892316
                                                                                                                                    • Opcode ID: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
                                                                                                                                    • Instruction ID: 3a0c8bae75b73356f025c28445405007b897e2e36fb84af6dfbdfac580efd4a0
                                                                                                                                    • Opcode Fuzzy Hash: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
                                                                                                                                    • Instruction Fuzzy Hash: 9961BBB2D04229AAEF20EBA1CC45BDF77BCFF45344F010476E909F2181EB795A548B59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414847, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                                                    • Opcode ID: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
                                                                                                                                    • Instruction ID: 7b6d47d0ae84673c1440bb3f6a45a38d491a9b2de853a8b7013f3412f20213e7
                                                                                                                                    • Opcode Fuzzy Hash: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
                                                                                                                                    • Instruction Fuzzy Hash: FC31B9B6504305BAF720EA55DD86EAB73BCDBC1714F20406FF214B2182EB7C99858A5D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004118EA, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
                                                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
                                                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
                                                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
                                                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
                                                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
                                                                                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
                                                                                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                    • API String ID: 667068680-2887671607
                                                                                                                                    • Opcode ID: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
                                                                                                                                    • Instruction ID: 49f1c8a85f5507baf9409120c02bba5f1b3352987f0cf3d6caa0177263683d24
                                                                                                                                    • Opcode Fuzzy Hash: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
                                                                                                                                    • Instruction Fuzzy Hash: 6C01C8F5D80314BADB216FB1AC8AA053EA5F71C7D3710883BE42452272D778C610CE9C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D399, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                    • API String ID: 1607361635-601624466
                                                                                                                                    • Opcode ID: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
                                                                                                                                    • Instruction ID: 86ecdfe433e0374b5ced7b433421c6295f8700cac4d68a1fbb2313435c6baabf
                                                                                                                                    • Opcode Fuzzy Hash: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
                                                                                                                                    • Instruction Fuzzy Hash: 6561A171900208EFEF14EF94CC85EAE7B79EF45314F1001AAF815A72D2DB38AA55CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D9D6, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                                                    • Opcode ID: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
                                                                                                                                    • Instruction ID: d19b445dff31b0d86a25f5297df5c333c47444227bfe33656549cbc54b746d40
                                                                                                                                    • Opcode Fuzzy Hash: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
                                                                                                                                    • Instruction Fuzzy Hash: 1D4142B1D40219AAEB20EF95CC85FFB737CFF45304F4540ABB918A2191E7389A948F65
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BD50, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040BD76
                                                                                                                                    • memset.MSVCRT ref: 0040BD92
                                                                                                                                      • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                      • Part of subcall function 00443D20: GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
                                                                                                                                      • Part of subcall function 00443D20: ??2@YAPAXI@Z.MSVCRT ref: 00443D51
                                                                                                                                      • Part of subcall function 00443D20: GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
                                                                                                                                      • Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
                                                                                                                                      • Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
                                                                                                                                      • Part of subcall function 00443D20: _snwprintf.MSVCRT ref: 00443DD1
                                                                                                                                      • Part of subcall function 00443D20: wcscpy.MSVCRT ref: 00443DFB
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BDD6
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BDE5
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BDF5
                                                                                                                                    • EnumResourceNamesW.KERNEL32(0040BEF4,00000004,0040BB24,00000000), ref: 0040BE5A
                                                                                                                                    • EnumResourceNamesW.KERNEL32(0040BEF4,00000005,0040BB24,00000000), ref: 0040BE64
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BE6C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                    • API String ID: 3037099051-517860148
                                                                                                                                    • Opcode ID: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
                                                                                                                                    • Instruction ID: d02a95b1ac945ad733c6c475c60bd1556454897fd3a1253caa6bc47d13ece21f
                                                                                                                                    • Opcode Fuzzy Hash: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
                                                                                                                                    • Instruction Fuzzy Hash: AD21A9B294021876EB20BB529C46FCB7B6CDF55754F00047BF50871192DBBC9A94C6EE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403C2A, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
                                                                                                                                    • API String ID: 2238633743-1621422469
                                                                                                                                    • Opcode ID: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
                                                                                                                                    • Instruction ID: d7a6577b60cfc464e8e16958ee64dd601e1a2e2a5708563609cb1b578f097ad1
                                                                                                                                    • Opcode Fuzzy Hash: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
                                                                                                                                    • Instruction Fuzzy Hash: A2F0F974940B44AFEF306F769D49E06BEF0EFA87017214D2EE0C1A3651D7B99100CE48
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407737, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00407C89,?,?,?,0000001E), ref: 00407760
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00407774
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    • memset.MSVCRT ref: 004077A6
                                                                                                                                    • memset.MSVCRT ref: 004077C8
                                                                                                                                    • memset.MSVCRT ref: 004077DD
                                                                                                                                    • strcmp.MSVCRT ref: 0040781C
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078B2
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078D1
                                                                                                                                    • memset.MSVCRT ref: 004078E5
                                                                                                                                    • strcmp.MSVCRT ref: 00407949
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040797B
                                                                                                                                    • CloseHandle.KERNEL32(?,?,00407C89,?,?,?,0000001E), ref: 00407984
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$File$strcmpstrcpy$??2@??3@CloseCreateHandleReadSize
                                                                                                                                    • String ID: ---
                                                                                                                                    • API String ID: 3751793120-2854292027
                                                                                                                                    • Opcode ID: 2a857cbeb5ab5e1bd89b1bc0351e99f96f5a4f3ec23066d0f11bd49c9005f69b
                                                                                                                                    • Instruction ID: 5eab4b77d8efc932d29ad1d752f1a4839dd8d7bf75d011c8978729a0abaaed7e
                                                                                                                                    • Opcode Fuzzy Hash: 2a857cbeb5ab5e1bd89b1bc0351e99f96f5a4f3ec23066d0f11bd49c9005f69b
                                                                                                                                    • Instruction Fuzzy Hash: 856159B2C0416D9ADF20EB948C859DEBB7C9B15314F1041FBE518B3141DA385FC4CBA9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00412F99, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(psapi.dll,?,00411582), ref: 00412FAC
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412FC5
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412FD6
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00412FE7
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00412FF8
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413009
                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413029
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                    • API String ID: 2449869053-70141382
                                                                                                                                    • Opcode ID: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
                                                                                                                                    • Instruction ID: 777907c91c3138f07d32b7effc6a6e277a0cb3bdfe1d402d2202e46302417196
                                                                                                                                    • Opcode Fuzzy Hash: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
                                                                                                                                    • Instruction Fuzzy Hash: B5014030940715AAD7318F256E44B6A2EE4E759B83B14002BA404D2A5AEBB8D941DBAC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FDE0, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                    • API String ID: 2081463915-1959339147
                                                                                                                                    • Opcode ID: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
                                                                                                                                    • Instruction ID: 6ae1867121f1a9de607d4cf96a2848453b881622ab493d5bc2878352e6736150
                                                                                                                                    • Opcode Fuzzy Hash: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
                                                                                                                                    • Instruction Fuzzy Hash: 4D01EC6328A32164F97469A7AC07F8B0A49CBD2F7AF71543BF904D41C6FF8D944560AC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00412F15, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00411589), ref: 00412F24
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00412F3D
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00412F4E
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00412F5F
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00412F70
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00412F81
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                    • Opcode ID: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
                                                                                                                                    • Instruction ID: 90193f1111e05c4afbc6439255eabbfb584b4719c6c3eda45dffcf0f008ca331
                                                                                                                                    • Opcode Fuzzy Hash: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
                                                                                                                                    • Instruction Fuzzy Hash: 6BF08B30941321AEAB208F295F40F6729B4E745BCAF140037B404D1655DBE8C453DF7D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403B29, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00403BA4: FreeLibrary.KERNEL32(?,00403B31,00000000,00409589,?,00000000,?), ref: 00403BAB
                                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
                                                                                                                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
                                                                                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                    • API String ID: 2449869053-4258758744
                                                                                                                                    • Opcode ID: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
                                                                                                                                    • Instruction ID: 8f7743962e36341c748a679f4d1b70e48ab6ec882cd35c5a4d1c5c737e04e9f5
                                                                                                                                    • Opcode Fuzzy Hash: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
                                                                                                                                    • Instruction Fuzzy Hash: 4F011A34500B419BDB31AF768809E0ABBF4EF94709B20882FE091A3692D6BDB140CF48
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040F99D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0040FA22
                                                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 0040FA30
                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0040FA45
                                                                                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040FA79
                                                                                                                                    • SelectObject.GDI32(00000014,00000005), ref: 0040FA85
                                                                                                                                      • Part of subcall function 0040F7F1: GetCursorPos.USER32(?), ref: 0040F7FB
                                                                                                                                      • Part of subcall function 0040F7F1: GetSubMenu.USER32 ref: 0040F809
                                                                                                                                      • Part of subcall function 0040F7F1: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040F83A
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040FAA0
                                                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 0040FAA9
                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040FAB0
                                                                                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040FAF4
                                                                                                                                    • memcpy.MSVCRT ref: 0040FB3D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Cursor$MenuObjectSelectText$ColorDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
                                                                                                                                    • String ID: WebBrowserPassView
                                                                                                                                    • API String ID: 3991541706-2171583229
                                                                                                                                    • Opcode ID: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
                                                                                                                                    • Instruction ID: d9273dffa9cc4a7b5f3d28471e210e7f23542924c6da0ead56af32090a150d55
                                                                                                                                    • Opcode Fuzzy Hash: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
                                                                                                                                    • Instruction Fuzzy Hash: 3C51F431600105ABDB34AF64C895B6A77B6BF48310F104137F909AB6E1DB78EC55CF89
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E9E8, Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetClientRect.USER32 ref: 0040EA07
                                                                                                                                    • GetWindowRect.USER32 ref: 0040EA1D
                                                                                                                                    • GetWindowRect.USER32 ref: 0040EA33
                                                                                                                                    • GetDlgItem.USER32 ref: 0040EA6D
                                                                                                                                    • GetWindowRect.USER32 ref: 0040EA74
                                                                                                                                    • MapWindowPoints.USER32 ref: 0040EA84
                                                                                                                                    • BeginDeferWindowPos.USER32 ref: 0040EAA8
                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040EACB
                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040EAEA
                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 0040EB15
                                                                                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 0040EB2D
                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040EB32
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 552707033-0
                                                                                                                                    • Opcode ID: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
                                                                                                                                    • Instruction ID: dc3f1f52df5294a2ec978d0ae6c3ccd5c38b38754740f987f7490d1c54cf7de8
                                                                                                                                    • Opcode Fuzzy Hash: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
                                                                                                                                    • Instruction Fuzzy Hash: 9141B275A00609BFEF11DFA8CD89FEEBBBAFB48304F100465E615A61A0C7716A50DB14
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A230, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040A401,?,?,*.*,0040A46B,00000000), ref: 0040A250
                                                                                                                                      • Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040A280
                                                                                                                                      • Part of subcall function 0040A19F: _memicmp.MSVCRT ref: 0040A1B9
                                                                                                                                      • Part of subcall function 0040A19F: memcpy.MSVCRT ref: 0040A1D0
                                                                                                                                    • memcpy.MSVCRT ref: 0040A2C7
                                                                                                                                    • strchr.MSVCRT ref: 0040A2EC
                                                                                                                                    • strchr.MSVCRT ref: 0040A2FD
                                                                                                                                    • _strlwr.MSVCRT ref: 0040A30B
                                                                                                                                    • memset.MSVCRT ref: 0040A326
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040A373
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                    • String ID: 4$h
                                                                                                                                    • API String ID: 4066021378-1856150674
                                                                                                                                    • Opcode ID: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
                                                                                                                                    • Instruction ID: 17f5db22f20d9ae327a0934dc0a50b98bc11baf633b6527cb3b89d44c7cb3914
                                                                                                                                    • Opcode Fuzzy Hash: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
                                                                                                                                    • Instruction Fuzzy Hash: 3D31A271900218BFEB11EBA4CC85FEE77ACEB45354F10406AFA08E6181E7399F558B69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413F4B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                    • String ID: %%0.%df
                                                                                                                                    • API String ID: 3473751417-763548558
                                                                                                                                    • Opcode ID: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
                                                                                                                                    • Instruction ID: 0b838db9f825932711660ea6569b586705b9a26b63b1a47a63d1f68ae8ff407c
                                                                                                                                    • Opcode Fuzzy Hash: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
                                                                                                                                    • Instruction Fuzzy Hash: 86313271900129BBEB20DF55CC85FEB7B7CEF89304F0100EAF509A2112EB789A54CB69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004055D0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004055F3
                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 00405603
                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 00405614
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405637
                                                                                                                                    • GetParent.USER32(?), ref: 00405662
                                                                                                                                    • SendMessageW.USER32(00000000), ref: 00405669
                                                                                                                                    • BeginDeferWindowPos.USER32 ref: 00405677
                                                                                                                                    • EndDeferWindowPos.USER32(00000000), ref: 004056C7
                                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004056D3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                    • String ID: A
                                                                                                                                    • API String ID: 2892645895-3554254475
                                                                                                                                    • Opcode ID: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
                                                                                                                                    • Instruction ID: 7dfccb24d1e076f690be31caf06a6d4f547633615caf0f8568b2f3749d1e3a55
                                                                                                                                    • Opcode Fuzzy Hash: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
                                                                                                                                    • Instruction Fuzzy Hash: 1D317E75640B04BBEB201F659C85F6B7B6AFB44741F50883AF30A7A1E1C7F698908E58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E29C, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 0040E2AC
                                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 0040E378
                                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 0040E33C
                                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040E319
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                    • API String ID: 1283228442-2366825230
                                                                                                                                    • Opcode ID: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
                                                                                                                                    • Instruction ID: dd7614801a102cad1738161c6781c4b5767366b5b9f47406b9b80e8d834f6cb8
                                                                                                                                    • Opcode Fuzzy Hash: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
                                                                                                                                    • Instruction Fuzzy Hash: C82154B69002186BDB21EBA5CC45F9A77BCEF4D785F0440AAF50893151DB38DB848B59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413031, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcschr.MSVCRT ref: 0041304A
                                                                                                                                    • wcscpy.MSVCRT ref: 0041305A
                                                                                                                                      • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
                                                                                                                                      • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
                                                                                                                                      • Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3
                                                                                                                                    • wcscpy.MSVCRT ref: 004130A9
                                                                                                                                    • wcscat.MSVCRT ref: 004130B4
                                                                                                                                    • memset.MSVCRT ref: 00413090
                                                                                                                                      • Part of subcall function 00408463: GetWindowsDirectoryW.KERNEL32(00453718,00000104,?,004130E9,?,?,00000000,00000208,-00000028), ref: 00408479
                                                                                                                                      • Part of subcall function 00408463: wcscpy.MSVCRT ref: 00408489
                                                                                                                                    • memset.MSVCRT ref: 004130D8
                                                                                                                                    • memcpy.MSVCRT ref: 004130F3
                                                                                                                                    • wcscat.MSVCRT ref: 004130FF
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                    • String ID: \systemroot
                                                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                                                    • Opcode ID: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
                                                                                                                                    • Instruction ID: 36f3f6f0360cce9f0c7183545ae4e1e5b3fba08c84210a6b9e93ac32fafd8b1c
                                                                                                                                    • Opcode Fuzzy Hash: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
                                                                                                                                    • Instruction Fuzzy Hash: 9A21D7B640530469E721EBB19C86FEB63EC9F46715F20415FB115A2082FB7CAA84475E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040744D, Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 251stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00443A61: memset.MSVCRT ref: 00443A8C
                                                                                                                                      • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AA3
                                                                                                                                      • Part of subcall function 00443A61: memset.MSVCRT ref: 00443AD6
                                                                                                                                      • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AEC
                                                                                                                                      • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443AFD
                                                                                                                                      • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B23
                                                                                                                                      • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B34
                                                                                                                                      • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B5B
                                                                                                                                      • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B6C
                                                                                                                                      • Part of subcall function 00443A61: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
                                                                                                                                      • Part of subcall function 00443A61: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
                                                                                                                                      • Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
                                                                                                                                      • Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
                                                                                                                                    • memset.MSVCRT ref: 0040748C
                                                                                                                                      • Part of subcall function 00408C5E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,00402A35,?,?), ref: 00408C77
                                                                                                                                    • memset.MSVCRT ref: 0040750B
                                                                                                                                    • memset.MSVCRT ref: 00407520
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040765C
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407672
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407688
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040769E
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076B4
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076CA
                                                                                                                                    • memset.MSVCRT ref: 004076E0
                                                                                                                                    Strings
                                                                                                                                    • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins, xrefs: 004074D2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
                                                                                                                                    • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins
                                                                                                                                    • API String ID: 2096775815-1337997248
                                                                                                                                    • Opcode ID: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
                                                                                                                                    • Instruction ID: 3c2b171134edc849c89bfde98875369ff40149e6fc896e2c8c158776e68e1888
                                                                                                                                    • Opcode Fuzzy Hash: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
                                                                                                                                    • Instruction Fuzzy Hash: 61912A72C0425EAFDF10DF94DC819DEBBB4EF04315F10406BE505B2191EA39AA94CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417F9B, Relevance: 16.6, APIs: 11, Instructions: 88COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
                                                                                                                                    • malloc.MSVCRT ref: 00417FD2
                                                                                                                                    • free.MSVCRT(?), ref: 00417FE2
                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00417FF6
                                                                                                                                    • free.MSVCRT(?), ref: 00417FFB
                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00418011
                                                                                                                                    • malloc.MSVCRT ref: 00418019
                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 0041802C
                                                                                                                                    • free.MSVCRT(?), ref: 00418031
                                                                                                                                    • free.MSVCRT(?), ref: 00418045
                                                                                                                                    • free.MSVCRT(00000000,0044C838,00000000), ref: 00418064
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$FullNamePath$malloc$Version
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3356672799-0
                                                                                                                                    • Opcode ID: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
                                                                                                                                    • Instruction ID: e19f7d1979d0248284e652c075024004b82b0c137a295abbe9fd7512c3376d02
                                                                                                                                    • Opcode Fuzzy Hash: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
                                                                                                                                    • Instruction Fuzzy Hash: AA218675904118BFEF10BBA5EC46CDF7FB9DF41398B22016BF404A2161DE395E819968
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407F9A, Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EmptyClipboard.USER32 ref: 00407FA4
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00407FC1
                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 00407FD2
                                                                                                                                    • GlobalLock.KERNEL32 ref: 00407FDF
                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407FF2
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00408004
                                                                                                                                    • SetClipboardData.USER32 ref: 0040800D
                                                                                                                                    • GetLastError.KERNEL32 ref: 00408015
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00408021
                                                                                                                                    • GetLastError.KERNEL32 ref: 0040802C
                                                                                                                                    • CloseClipboard.USER32 ref: 00408035
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3604893535-0
                                                                                                                                    • Opcode ID: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
                                                                                                                                    • Instruction ID: 9cea1fd89fc17267dcd3af91661d4008ede421ba1dc4d9805cb8839a0273d96b
                                                                                                                                    • Opcode Fuzzy Hash: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
                                                                                                                                    • Instruction Fuzzy Hash: 71113D7A900A04FBDF105FB0ED4CB9E7BB8EB45365F100176F942E52A2DB748904DB68
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004144DA, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy
                                                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                    • API String ID: 1284135714-318151290
                                                                                                                                    • Opcode ID: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
                                                                                                                                    • Instruction ID: 0ebae4f713cd0728fe49c3fef23c10be13eea51f6af137ba8aced86fbfd041bd
                                                                                                                                    • Opcode Fuzzy Hash: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
                                                                                                                                    • Instruction Fuzzy Hash: 59F0BBB169462D73342E25B85806AF70483F0C1B0537E45537702EA6D6EA4CCAC1E89F
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B301, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                    • wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B7F3: memset.MSVCRT ref: 0040B806
                                                                                                                                      • Part of subcall function 0040B7F3: _itow.MSVCRT ref: 0040B814
                                                                                                                                    • wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                    • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                    • memcpy.MSVCRT ref: 0040B419
                                                                                                                                      • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B299
                                                                                                                                      • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2B7
                                                                                                                                      • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2D5
                                                                                                                                      • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2F3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                    • String ID: `s]$hw]$strings
                                                                                                                                    • API String ID: 3166385802-2133324168
                                                                                                                                    • Opcode ID: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
                                                                                                                                    • Instruction ID: c57a50961ac065af18f7b97b0dfcf96f0970c66ac6ac5239858a4cd79fa145fe
                                                                                                                                    • Opcode Fuzzy Hash: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
                                                                                                                                    • Instruction Fuzzy Hash: 35415975200701BBDB259F14FC9593A3365E784387B20453EE802A73A3DB39EA16DB9C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B478, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                    • String ID: 0$6
                                                                                                                                    • API String ID: 4066108131-3849865405
                                                                                                                                    • Opcode ID: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
                                                                                                                                    • Instruction ID: bceec671b1c8862383177497c079c71e13407bcb6d3a60011dae78a89f936b1e
                                                                                                                                    • Opcode Fuzzy Hash: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
                                                                                                                                    • Instruction Fuzzy Hash: 65315BB2408340AFDB109F95DC44A9BB7E8FF89318F00487FF948A2291D779D905CB9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403C8C, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
                                                                                                                                    • #17.COMCTL32(?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CDF
                                                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                                    • Opcode ID: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
                                                                                                                                    • Instruction ID: 34266bbb316567afe830504356b8b6584aa457591d2bf79f0dcd5bedfca56d80
                                                                                                                                    • Opcode Fuzzy Hash: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
                                                                                                                                    • Instruction Fuzzy Hash: B801D676754B116BEB215F649C89B6B7D9CEF42B4AB004039F502F2181DAB8DE0196A8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041171B, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041172A
                                                                                                                                    • GetModuleHandleW.KERNEL32(sqlite3.dll,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411733
                                                                                                                                    • GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041173C
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041174B
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411752
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411759
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeHandleLibraryModule
                                                                                                                                    • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                                                                    • API String ID: 662261464-3550686275
                                                                                                                                    • Opcode ID: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
                                                                                                                                    • Instruction ID: e2ab39130582ef49d5f09875a9cbab8dc3c3c45014a759ddc4c6379760142a6f
                                                                                                                                    • Opcode Fuzzy Hash: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
                                                                                                                                    • Instruction Fuzzy Hash: 7AE04F66F4136DA79A1027F66C84EAB6F5CC896AA13150037AF05A33519EA89C018AF9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004440EA, Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memchrmemset
                                                                                                                                    • String ID: UCD$UCD
                                                                                                                                    • API String ID: 1581201632-670880344
                                                                                                                                    • Opcode ID: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
                                                                                                                                    • Instruction ID: 346eebee7d7e8b6f8d140da3993cfc901939ed9edb34b9035315ebb9ce6523fc
                                                                                                                                    • Opcode Fuzzy Hash: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
                                                                                                                                    • Instruction Fuzzy Hash: 8551D3719001195BEB10EFA8CC95FEEB7B8AF85300F0444ABF955E7281E778E644CB64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004085D0, Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetSystemMetrics.USER32 ref: 004085E9
                                                                                                                                    • GetSystemMetrics.USER32 ref: 004085EF
                                                                                                                                    • GetDC.USER32(00000000), ref: 004085FC
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040860D
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408614
                                                                                                                                    • ReleaseDC.USER32 ref: 0040861B
                                                                                                                                    • GetWindowRect.USER32 ref: 0040862E
                                                                                                                                    • GetParent.USER32(?), ref: 00408633
                                                                                                                                    • GetWindowRect.USER32 ref: 00408650
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004086AF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2163313125-0
                                                                                                                                    • Opcode ID: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
                                                                                                                                    • Instruction ID: 6b5921239ffcae24bde8aad05d59603f054fe97e3a0e5988cf4f66e7c2dd28aa
                                                                                                                                    • Opcode Fuzzy Hash: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
                                                                                                                                    • Instruction Fuzzy Hash: 2E31A475A00609AFDF04CFB8CD85AEEBBB9FB48350F050539E901F3291DA71ED418A94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00402D82, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$wcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3592753638-3916222277
                                                                                                                                    • Opcode ID: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
                                                                                                                                    • Instruction ID: 99c2379fcd531e162887146704610c03ee1d54022b9859d6cf2ce1b1ac3fe7c7
                                                                                                                                    • Opcode Fuzzy Hash: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
                                                                                                                                    • Instruction Fuzzy Hash: 87616630408342DBDB68AF11D64852FB7B1FF84755F90093FF482A22D0D7B88989DB9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BB24, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadMenuW.USER32 ref: 0040BB4B
                                                                                                                                      • Part of subcall function 0040B974: GetMenuItemCount.USER32 ref: 0040B98A
                                                                                                                                      • Part of subcall function 0040B974: memset.MSVCRT ref: 0040B9A9
                                                                                                                                      • Part of subcall function 0040B974: GetMenuItemInfoW.USER32 ref: 0040B9E5
                                                                                                                                      • Part of subcall function 0040B974: wcschr.MSVCRT ref: 0040B9FD
                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 0040BB69
                                                                                                                                    • CreateDialogParamW.USER32 ref: 0040BBB7
                                                                                                                                    • memset.MSVCRT ref: 0040BBD3
                                                                                                                                    • GetWindowTextW.USER32 ref: 0040BBE8
                                                                                                                                    • EnumChildWindows.USER32 ref: 0040BC13
                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0040BC1A
                                                                                                                                      • Part of subcall function 0040B7A3: _snwprintf.MSVCRT ref: 0040B7C8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
                                                                                                                                    • String ID: caption
                                                                                                                                    • API String ID: 1928666178-4135340389
                                                                                                                                    • Opcode ID: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
                                                                                                                                    • Instruction ID: e22aff4ff37d874dc9406bb5861836d8cb00257f57c634ff68b223b0e4ee6d7d
                                                                                                                                    • Opcode Fuzzy Hash: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
                                                                                                                                    • Instruction Fuzzy Hash: 6821A172500218ABEF21AF50EC49EAF3B78FF46754F00447AF905A5192DB789990CBDE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408AE8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                    • String ID: %s (%s)$TK@
                                                                                                                                    • API String ID: 3979103747-3557169880
                                                                                                                                    • Opcode ID: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
                                                                                                                                    • Instruction ID: e896be4b8b4c8dd321127e9193ea498031fb30aa9e34a4c02f498fe4f9df0790
                                                                                                                                    • Opcode Fuzzy Hash: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
                                                                                                                                    • Instruction Fuzzy Hash: 6F2162B2800118ABDF20DF95CC45E8AB7B8FF44318F05846AEA48A7106DB78E618CBD4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407CF6, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000,?,0040FF40,00000000), ref: 00407D1B
                                                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5), ref: 00407D39
                                                                                                                                    • wcslen.MSVCRT ref: 00407D46
                                                                                                                                    • wcscpy.MSVCRT ref: 00407D56
                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000), ref: 00407D60
                                                                                                                                    • wcscpy.MSVCRT ref: 00407D70
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                                                    • API String ID: 2767993716-572158859
                                                                                                                                    • Opcode ID: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
                                                                                                                                    • Instruction ID: f6f7092b450fef05d0d872bf5e04b1357ca4228fed94eee9f5e7a838667149bb
                                                                                                                                    • Opcode Fuzzy Hash: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
                                                                                                                                    • Instruction Fuzzy Hash: D201F771A041147BFB1527A0EC4AFAF7B6CDF567A1F20003AF506B10D1EA786E00D6AD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BC8A, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BCA4
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BCB4
                                                                                                                                    • GetPrivateProfileIntW.KERNEL32 ref: 0040BCC5
                                                                                                                                      • Part of subcall function 0040B82A: GetPrivateProfileStringW.KERNEL32 ref: 0040B846
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                                                    • Opcode ID: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
                                                                                                                                    • Instruction ID: d09d9999bd57a78b58a4055e383115949195630bbf49bad653da3d74dfc2830b
                                                                                                                                    • Opcode Fuzzy Hash: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
                                                                                                                                    • Instruction Fuzzy Hash: 8AF0C232EC0A5137EB1137221D03F2A2608CF92B57F15847BB904762D3DA7C4A15D2DE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042EE6A, Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042EED9
                                                                                                                                    • unable to open database: %s, xrefs: 0042F0C1
                                                                                                                                    • out of memory, xrefs: 0042F0D8
                                                                                                                                    • too many attached databases - max %d, xrefs: 0042EEC3
                                                                                                                                    • database is already attached, xrefs: 0042EF94
                                                                                                                                    • database %s is already in use, xrefs: 0042EF3B
                                                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042EFE2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpymemset
                                                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                                                    • Opcode ID: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
                                                                                                                                    • Instruction ID: af9b9ef2f5a1795804296138b741be62980529f77760b3752da5ffa5b8d2aff6
                                                                                                                                    • Opcode Fuzzy Hash: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
                                                                                                                                    • Instruction Fuzzy Hash: E991E370B00311EFEB10DF66D581BAAB7F0AF44308F94846FE8559B242D778E945CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040C33A, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C37A
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C396
                                                                                                                                    • memcpy.MSVCRT ref: 0040C3BB
                                                                                                                                    • memcpy.MSVCRT ref: 0040C3CF
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C452
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C45C
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C494
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                      • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                      • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                      • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                    • String ID: 8"E$d
                                                                                                                                    • API String ID: 1140211610-2418960419
                                                                                                                                    • Opcode ID: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
                                                                                                                                    • Instruction ID: ebdbfbf94f53a3690cf38ac0907b9363cbed6c4ceb444703d02dc3853126dfb0
                                                                                                                                    • Opcode Fuzzy Hash: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
                                                                                                                                    • Instruction Fuzzy Hash: 3851AE726007049FD724DF29C586B5AB7E4FF48314F10862EE95ADB391DB78E5408B48
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004171A2, Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004171FA
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 00417204
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417216
                                                                                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004172EE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3015003838-0
                                                                                                                                    • Opcode ID: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
                                                                                                                                    • Instruction ID: b1728a7637de8f6c0c3372c087848d546b31592ea547c84e90bff2a5ea0aeb9c
                                                                                                                                    • Opcode Fuzzy Hash: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
                                                                                                                                    • Instruction Fuzzy Hash: 2F41F27550C702AFE7218F20DC01BA7B7F1AB90B14F20496EF59552381DBB9D9C68B1E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417E39, Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E63
                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 00417E6A
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417E77
                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00417E8C
                                                                                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E95
                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00417E9C
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417EA9
                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00417EBE
                                                                                                                                    • free.MSVCRT(00000000), ref: 00417EC7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2802642348-0
                                                                                                                                    • Opcode ID: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
                                                                                                                                    • Instruction ID: 47bfd0c0f8263ce6d61c00ded009a165ca5b61f2fc3d609cfbcfb361f1c4a64c
                                                                                                                                    • Opcode Fuzzy Hash: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
                                                                                                                                    • Instruction Fuzzy Hash: 1711063D5087149FCA2027706CC86BF36F49B57772B2102AAF953922D1DB2D4CC1956D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004147A8, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                    • Opcode ID: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
                                                                                                                                    • Instruction ID: 1058aa724a71ea66541b56df80d5a3cdc90ec5801de880f61679d0e38116f1b7
                                                                                                                                    • Opcode Fuzzy Hash: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
                                                                                                                                    • Instruction Fuzzy Hash: 2901927AE542A1A5F63031094C86FF74198DBE3B15FB14127FA96252C5E28D49C382AF
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A56F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
                                                                                                                                      • Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA
                                                                                                                                      • Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                      • Part of subcall function 00408EE8: free.MSVCRT(?,00000000,?,0040923F,00000000,?,00000000), ref: 00408EF7
                                                                                                                                    • memset.MSVCRT ref: 0040A5DF
                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 0040A60D
                                                                                                                                    • _wcsupr.MSVCRT ref: 0040A627
                                                                                                                                      • Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
                                                                                                                                      • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                      • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                      • Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44
                                                                                                                                    • memset.MSVCRT ref: 0040A676
                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 0040A6A1
                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040A6AE
                                                                                                                                    Strings
                                                                                                                                    • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A58C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                    • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                                                                                                    • API String ID: 4131475296-680441574
                                                                                                                                    • Opcode ID: 4844c8675b145070dad572f60e49686fb6ff8cc7004fd1c20b8f23b22dadcfc4
                                                                                                                                    • Instruction ID: 4ff845341dcd1a768bfc42e85b7312ef223b671260cd3b9f040e87321517091f
                                                                                                                                    • Opcode Fuzzy Hash: 4844c8675b145070dad572f60e49686fb6ff8cc7004fd1c20b8f23b22dadcfc4
                                                                                                                                    • Instruction Fuzzy Hash: AB413BB694021DABDB00EF99DC85EEFB7BCAF58304F10417AB504F2191DB789B458BA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BA65, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                                                    • Opcode ID: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
                                                                                                                                    • Instruction ID: cf2ea30055fd2b250d8a38ac5c403ff02bed82fd0d2b8d5d11e07c443477a94e
                                                                                                                                    • Opcode Fuzzy Hash: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
                                                                                                                                    • Instruction Fuzzy Hash: D31177325002197BEB20EB91DC8AEEF777CEF45750F404066F509E1192EB749A41CB99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041B0F4, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                    • String ID: -journal$-wal
                                                                                                                                    • API String ID: 438689982-2894717839
                                                                                                                                    • Opcode ID: 06be32a774592b0ef8d9d06a82f4e809c6ae93f37653617c392a06c5b268a917
                                                                                                                                    • Instruction ID: 74a332e22f0b607a266e47b82b9d8ba1ef45136a3b8be849caa08d0d2b66e2c9
                                                                                                                                    • Opcode Fuzzy Hash: 06be32a774592b0ef8d9d06a82f4e809c6ae93f37653617c392a06c5b268a917
                                                                                                                                    • Instruction Fuzzy Hash: DCA1C071A0464AEFDB14DF64C8417DEBBB0FF04314F14826EE46997381D738AAA4CB98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004050AF, Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 00405153
                                                                                                                                    • GetDlgItem.USER32 ref: 00405166
                                                                                                                                    • GetDlgItem.USER32 ref: 0040517B
                                                                                                                                    • GetDlgItem.USER32 ref: 00405193
                                                                                                                                    • EndDialog.USER32(?,00000002), ref: 004051AF
                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 004051C4
                                                                                                                                      • Part of subcall function 00404E6E: GetDlgItem.USER32 ref: 00404E7B
                                                                                                                                      • Part of subcall function 00404E6E: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404E90
                                                                                                                                    • SendDlgItemMessageW.USER32 ref: 004051DC
                                                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 004052ED
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Item$Dialog$MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3975816621-0
                                                                                                                                    • Opcode ID: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
                                                                                                                                    • Instruction ID: 2cde12ba5927d4bde9809f16a4ff1e8400ea1fd37873b15a8c1cc8d9e94e8744
                                                                                                                                    • Opcode Fuzzy Hash: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
                                                                                                                                    • Instruction Fuzzy Hash: 6961B030600B05ABDB31AF25CC86B6B73A5FF50324F00863EF515AA6D1D778A951CF99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00443EEF, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _wcsicmp.MSVCRT ref: 00443F6F
                                                                                                                                    • _wcsicmp.MSVCRT ref: 00443F84
                                                                                                                                    • _wcsicmp.MSVCRT ref: 00443F99
                                                                                                                                      • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
                                                                                                                                      • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
                                                                                                                                      • Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                    • API String ID: 1214746602-2708368587
                                                                                                                                    • Opcode ID: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
                                                                                                                                    • Instruction ID: 597a29036d5ddd155e475e5b18437da6987c3908216f6d337c400390a4fd9aac
                                                                                                                                    • Opcode Fuzzy Hash: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
                                                                                                                                    • Instruction Fuzzy Hash: A54135758087018AF7309EA5D94076773D8DB84B26F208D3FE56AE36C1EEBCE958411E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004052FD, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2313361498-0
                                                                                                                                    • Opcode ID: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
                                                                                                                                    • Instruction ID: 5d7335f69ca4f594208563f7014043d8df0e1bea6ea55c180c5050c90dc7a29e
                                                                                                                                    • Opcode Fuzzy Hash: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
                                                                                                                                    • Instruction Fuzzy Hash: E931A4B1500A01AFEB14AF69C98691AB7A4FF04354710453FF545E7691DB78EC90CF98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040547A, Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetClientRect.USER32 ref: 00405491
                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 004054A9
                                                                                                                                    • GetWindow.USER32(00000000), ref: 004054AC
                                                                                                                                      • Part of subcall function 00401735: GetWindowRect.USER32 ref: 00401744
                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 004054B8
                                                                                                                                    • GetDlgItem.USER32 ref: 004054CE
                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040550D
                                                                                                                                    • GetDlgItem.USER32 ref: 00405517
                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405566
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2047574939-0
                                                                                                                                    • Opcode ID: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
                                                                                                                                    • Instruction ID: ee080d675ccdbf70b04d6128f25a7e8090f7ef981af0433368dbc7d1a9e2eb74
                                                                                                                                    • Opcode Fuzzy Hash: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
                                                                                                                                    • Instruction Fuzzy Hash: AB218071690B0977EA0137229D86F6B366DEF96714F10003AFA007B2C2EEBA580245AD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407F32, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EmptyClipboard.USER32(?,?,0040F25C,-00000210), ref: 00407F3A
                                                                                                                                    • wcslen.MSVCRT ref: 00407F47
                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040F25C,-00000210), ref: 00407F57
                                                                                                                                    • GlobalLock.KERNEL32 ref: 00407F64
                                                                                                                                    • memcpy.MSVCRT ref: 00407F6D
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00407F76
                                                                                                                                    • SetClipboardData.USER32 ref: 00407F7F
                                                                                                                                    • CloseClipboard.USER32 ref: 00407F8F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1213725291-0
                                                                                                                                    • Opcode ID: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
                                                                                                                                    • Instruction ID: 8669bfd28652b36aabcc6f95cbac9fd564b8d5c2b1f3dd921f492192fb7780cb
                                                                                                                                    • Opcode Fuzzy Hash: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
                                                                                                                                    • Instruction Fuzzy Hash: E8F0E03B600A157FD6103BF0BC4CF5B776CDBC6B96B01013AF905D6252DE68580487B9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406FCE, Relevance: 11.4, APIs: 9, Instructions: 106stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00406FF4
                                                                                                                                    • memset.MSVCRT ref: 00407008
                                                                                                                                    • strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
                                                                                                                                    • strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
                                                                                                                                    • strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
                                                                                                                                    • wcscpy.MSVCRT ref: 0040709D
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: strcpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4248099071-0
                                                                                                                                    • Opcode ID: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
                                                                                                                                    • Instruction ID: 3602a3695f0633691502e701aaeaa3678f077821d3d25540d64766a890a16dc7
                                                                                                                                    • Opcode Fuzzy Hash: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
                                                                                                                                    • Instruction Fuzzy Hash: A6412D7590021DAFDB20DF64CC80FDAB3FCBB09344F0485AAB559D2141DA34AB448F64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404F3A, Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 00404F51
                                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404F6A
                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404F77
                                                                                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404F83
                                                                                                                                    • memset.MSVCRT ref: 00404FE7
                                                                                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 0040501C
                                                                                                                                    • SetFocus.USER32(?), ref: 004050A2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                    • Opcode ID: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
                                                                                                                                    • Instruction ID: 4a7769bfe8dd657eebcefc70b29ecb6e887c437cb47c08b61b0609965a717ddb
                                                                                                                                    • Opcode Fuzzy Hash: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
                                                                                                                                    • Instruction Fuzzy Hash: 7B415975900219BBDB20DF95CC89EAFBFB9EF04754F1040AAF508A6291D3749A90CFA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D26F, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintfwcscat
                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                    • API String ID: 384018552-4153097237
                                                                                                                                    • Opcode ID: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
                                                                                                                                    • Instruction ID: 8f1261d6e50b9fc48a8d4c2a01cb2efc3c1dd918db621c17a7092c97f5fd87e6
                                                                                                                                    • Opcode Fuzzy Hash: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
                                                                                                                                    • Instruction Fuzzy Hash: 7E318D31900209EFDF04EF54CC86AAE7F75FF44320F1001AAE905AB2E2C738AA55DB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B974, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                    • String ID: 0$6
                                                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                                                    • Opcode ID: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
                                                                                                                                    • Instruction ID: 3c4375d2aaca836e1f5ba8730f1b4cbf28b1f601c5efe325adce4426e162c3cb
                                                                                                                                    • Opcode Fuzzy Hash: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
                                                                                                                                    • Instruction Fuzzy Hash: 6A218B72605340ABD710DF55D845A9BB7E8FB89B54F00063FF644A2291E77ADA00CBDE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004086FA, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408716
                                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 00408742
                                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 00408757
                                                                                                                                    • wcscpy.MSVCRT ref: 00408767
                                                                                                                                    • wcscat.MSVCRT ref: 00408774
                                                                                                                                    • wcscat.MSVCRT ref: 00408783
                                                                                                                                    • wcscpy.MSVCRT ref: 00408795
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1331804452-0
                                                                                                                                    • Opcode ID: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
                                                                                                                                    • Instruction ID: e89223cf66055297cb9dadcb336121efaa359588445afa49c1b13fad1ad85cab
                                                                                                                                    • Opcode Fuzzy Hash: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
                                                                                                                                    • Instruction Fuzzy Hash: 3D1160B280011CBBEF11AF94DD45EEB7BBCEB41744F10407BBA04A6091D6389E448B79
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D86C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • <%s>, xrefs: 0040D8E2
                                                                                                                                    • <?xml version="1.0" ?>, xrefs: 0040D8B8
                                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040D8BF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                    • API String ID: 3473751417-2880344631
                                                                                                                                    • Opcode ID: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
                                                                                                                                    • Instruction ID: 334aba75e86a29cb8f13e765f22732fbee0fc66aecb0188c901082e5a368eb6e
                                                                                                                                    • Opcode Fuzzy Hash: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
                                                                                                                                    • Instruction Fuzzy Hash: 6C01DFB2A402197BE710A759CC41FAA776DEF44744F1440B7B60CF3141D7389E458799
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408806, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                                                    • String ID: %2.2X
                                                                                                                                    • API String ID: 2521778956-791839006
                                                                                                                                    • Opcode ID: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
                                                                                                                                    • Instruction ID: 7e3155c1ee39ddc5e1c88fc61abef366a99ea1f709d40badb718d03975286e65
                                                                                                                                    • Opcode Fuzzy Hash: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
                                                                                                                                    • Instruction Fuzzy Hash: 8F012873D4031866F734E7519C46BBA33A8AB81B18F11403FFC54B51C2EA7CDA4446D8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00443C91, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcscpy.MSVCRT ref: 00443CA6
                                                                                                                                    • wcscat.MSVCRT ref: 00443CB5
                                                                                                                                    • wcscat.MSVCRT ref: 00443CC6
                                                                                                                                    • wcscat.MSVCRT ref: 00443CD5
                                                                                                                                    • VerQueryValueW.VERSION(?,?,00000000,?), ref: 00443CEF
                                                                                                                                      • Part of subcall function 0040807E: wcslen.MSVCRT ref: 00408085
                                                                                                                                      • Part of subcall function 0040807E: memcpy.MSVCRT ref: 0040809B
                                                                                                                                      • Part of subcall function 00408148: lstrcpyW.KERNEL32 ref: 0040815D
                                                                                                                                      • Part of subcall function 00408148: lstrlenW.KERNEL32(?), ref: 00408164
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                    • String ID: \StringFileInfo\
                                                                                                                                    • API String ID: 393120378-2245444037
                                                                                                                                    • Opcode ID: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
                                                                                                                                    • Instruction ID: 4bcd922806ee50f9cb47b7d9b2cc513868d30f54de93413914084f8cb2eb3ca3
                                                                                                                                    • Opcode Fuzzy Hash: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
                                                                                                                                    • Instruction Fuzzy Hash: B801847290020DA6EF11EAA1CC45EDF777CAB44308F1005B7B654F2052EA3CDB869B58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B7A3, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                    • API String ID: 999028693-502967061
                                                                                                                                    • Opcode ID: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
                                                                                                                                    • Instruction ID: fa5e8ebf88800a0e12fd117f624f479e56397311d80730f797776366f89ad5f2
                                                                                                                                    • Opcode Fuzzy Hash: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
                                                                                                                                    • Instruction Fuzzy Hash: 9FE086717C830031FE1115511E83F162150C6E5F95FB1046BF505B16D2DB7D8864668F
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042A67D, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset
                                                                                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                    • API String ID: 2221118986-1606337402
                                                                                                                                    • Opcode ID: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
                                                                                                                                    • Instruction ID: c7fea52ce07df1abaedfaf21b9d509cbcb108d5d19e9a81960d934b60e9c5d67
                                                                                                                                    • Opcode Fuzzy Hash: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
                                                                                                                                    • Instruction Fuzzy Hash: 6A818D70A083219FDB10DF15E48161BB7E0AF94324F59885FEC859B252D378EC95CB9B
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413117, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004115CD,00000000,00000000), ref: 00413152
                                                                                                                                    • memset.MSVCRT ref: 004131B4
                                                                                                                                    • memset.MSVCRT ref: 004131C4
                                                                                                                                      • Part of subcall function 00413031: wcscpy.MSVCRT ref: 0041305A
                                                                                                                                    • memset.MSVCRT ref: 004132AF
                                                                                                                                    • wcscpy.MSVCRT ref: 004132D0
                                                                                                                                    • CloseHandle.KERNEL32(?,004115CD,?,?,?,004115CD,00000000,00000000), ref: 00413326
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3300951397-0
                                                                                                                                    • Opcode ID: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
                                                                                                                                    • Instruction ID: cefdbdf849389f09311ea621c5a87f262da3bfb792e558c61850347b92c9bf04
                                                                                                                                    • Opcode Fuzzy Hash: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
                                                                                                                                    • Instruction Fuzzy Hash: 0D514971108344AFD720DF65CC88A9BB7E8FB84306F404A2EF99982251DB74DA44CB6A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417EE5, Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00417F17
                                                                                                                                    • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00417F25
                                                                                                                                    • free.MSVCRT(00000000), ref: 00417F6B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AttributesFilefreememset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2507021081-0
                                                                                                                                    • Opcode ID: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
                                                                                                                                    • Instruction ID: b8dc40b53dc963fdbe0ae3b1e60dcad109612476599bdcfb1117a2ceff08efc0
                                                                                                                                    • Opcode Fuzzy Hash: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
                                                                                                                                    • Instruction Fuzzy Hash: 0811B73690C1159B9B109F649CC15EF7278DB49354B21013BF912A2281D63C9D82D2AD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040EF2B, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040EF4D
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                      • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                      • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                      • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                      • Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
                                                                                                                                      • Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
                                                                                                                                      • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
                                                                                                                                      • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
                                                                                                                                      • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
                                                                                                                                      • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81
                                                                                                                                      • Part of subcall function 00408907: GetSaveFileNameW.COMDLG32(?), ref: 00408956
                                                                                                                                      • Part of subcall function 00408907: wcscpy.MSVCRT ref: 0040896D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                    • API String ID: 1392923015-3614832568
                                                                                                                                    • Opcode ID: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
                                                                                                                                    • Instruction ID: 893d8713e26b77edc4206c052df4fc7d3163be0104e9675467069f1f0f0c5c5e
                                                                                                                                    • Opcode Fuzzy Hash: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
                                                                                                                                    • Instruction Fuzzy Hash: 963150B1D006199FDB10EF96D8856DD7BB4FF04318F20417BF908B7281EB786A458B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416E10, Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00416E17
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E35
                                                                                                                                    • malloc.MSVCRT ref: 00416E3F
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E56
                                                                                                                                    • free.MSVCRT(?), ref: 00416E5F
                                                                                                                                    • free.MSVCRT(?,?), ref: 00416E7D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4131324427-0
                                                                                                                                    • Opcode ID: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
                                                                                                                                    • Instruction ID: 8f18c9831eb1c79f14fd8e789aed1b74bdecd3d50ffb4352c5f07f5f59d31971
                                                                                                                                    • Opcode Fuzzy Hash: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
                                                                                                                                    • Instruction Fuzzy Hash: 4901FC7A504221BBAB215B75EC01EEF36DCDF457B07220326FC14E7290DA28DD4145EC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414CCE, Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 21COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: NA$LMA$MMA$MMA
                                                                                                                                    • API String ID: 3510742995-965156261
                                                                                                                                    • Opcode ID: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
                                                                                                                                    • Instruction ID: 8582fd1753a63c193c8d59700b7b4d4e45a0e47666d49b47a36a18adf3e061cc
                                                                                                                                    • Opcode Fuzzy Hash: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
                                                                                                                                    • Instruction Fuzzy Hash: DBE09A30940350DAE360A744DC82F823294A742B26F11843BE508229E3C3FC98C88BAD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417AB2, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,0041767E), ref: 00417AF6
                                                                                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,0041767E), ref: 00417B1E
                                                                                                                                    • free.MSVCRT(00000000,0044C838,00000000), ref: 00417B46
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PathTemp$free
                                                                                                                                    • String ID: %s\etilqs_$etilqs_
                                                                                                                                    • API String ID: 924794160-1420421710
                                                                                                                                    • Opcode ID: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
                                                                                                                                    • Instruction ID: 98cb418060ea171a52ad1c8f6cb6bf58db0dc7ae7347cd78cc57f1029aea62d9
                                                                                                                                    • Opcode Fuzzy Hash: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
                                                                                                                                    • Instruction Fuzzy Hash: F8314B3160C2595AE730A7659C41BFB73AD9F6434CF2404AFE481C2182EF6CEEC58A5D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D5DA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040D611
                                                                                                                                      • Part of subcall function 004147A8: memcpy.MSVCRT ref: 00414825
                                                                                                                                      • Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
                                                                                                                                      • Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A
                                                                                                                                    • _snwprintf.MSVCRT ref: 0040D65B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                    • API String ID: 1775345501-2769808009
                                                                                                                                    • Opcode ID: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
                                                                                                                                    • Instruction ID: be7e472b8ae12577d0ef69e4d5a2bd87498dbd4f23eec6cc8c98af6d964d1ad5
                                                                                                                                    • Opcode Fuzzy Hash: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
                                                                                                                                    • Instruction Fuzzy Hash: 3E11C13160031ABBEB11AB65CCC6E997B25FF08708F100026F809676A2C739F961DBC9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040F2F9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040F329
                                                                                                                                      • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                    • wcsrchr.MSVCRT ref: 0040F343
                                                                                                                                    • wcscat.MSVCRT ref: 0040F35F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                    • String ID: .cfg$General
                                                                                                                                    • API String ID: 776488737-1188829934
                                                                                                                                    • Opcode ID: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
                                                                                                                                    • Instruction ID: 56bea33938f28168157b0b8bcc93b38caa6b0521648f49714e8bc2d05d89a73e
                                                                                                                                    • Opcode Fuzzy Hash: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
                                                                                                                                    • Instruction Fuzzy Hash: 831186769013289ADF20EF55CC85ACE7378FF48754F1041FBE508A7142DB789A858B99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FBD2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040FBF3
                                                                                                                                    • RegisterClassW.USER32 ref: 0040FC18
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040FC1F
                                                                                                                                    • CreateWindowExW.USER32 ref: 0040FC3E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                    • String ID: WebBrowserPassView
                                                                                                                                    • API String ID: 2678498856-2171583229
                                                                                                                                    • Opcode ID: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
                                                                                                                                    • Instruction ID: f352fd5291e0f9f707763c8e0c0f79a6b8b327092a808c719acfd4fe52221a97
                                                                                                                                    • Opcode Fuzzy Hash: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
                                                                                                                                    • Instruction Fuzzy Hash: 6E01C4B1D02629ABDB01DF998C89ADFBEBCFF09750F108116F514E6241D7B45A408BE9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403BB9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                    • String ID: CryptUnprotectData$crypt32.dll
                                                                                                                                    • API String ID: 145871493-1827663648
                                                                                                                                    • Opcode ID: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
                                                                                                                                    • Instruction ID: 6d08c6472c4a7eef0e99d7de69836aa1542f25023555ecd08c966f49be56efdf
                                                                                                                                    • Opcode Fuzzy Hash: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
                                                                                                                                    • Instruction Fuzzy Hash: B3012C36508A419BDB318F168D4881BFEF9EFE1741B25482EE0C6E2261D7799980CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041409A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcscpy.MSVCRT ref: 004140A9
                                                                                                                                    • wcscpy.MSVCRT ref: 004140C4
                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040F398,00000000,?,0040F398,?,General,?), ref: 004140EB
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 004140F2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                    • String ID: General
                                                                                                                                    • API String ID: 999786162-26480598
                                                                                                                                    • Opcode ID: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
                                                                                                                                    • Instruction ID: 886da17c1b1bf2e9de85dc8b7e1e57be2bc6bdc909f117fec59c49a827307fb5
                                                                                                                                    • Opcode Fuzzy Hash: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
                                                                                                                                    • Instruction Fuzzy Hash: 6BF059B3408701AFF7209B919C85E9B7BDCEB98318F11842FF21991011DB384C4486A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407DF4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
                                                                                                                                    • _snwprintf.MSVCRT ref: 00407E35
                                                                                                                                    • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                    • API String ID: 313946961-1552265934
                                                                                                                                    • Opcode ID: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
                                                                                                                                    • Instruction ID: b00963ac5392a62de3320d989648915026267cceceb2d36b0a398715d1e41bd5
                                                                                                                                    • Opcode Fuzzy Hash: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
                                                                                                                                    • Instruction Fuzzy Hash: B9F0A77694060867EF11A794CC06FDA73ACBB84791F1400BBF945E2181DAB8EA854A69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041473D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(shlwapi.dll,770B48C0,?,00404C4C,00000000), ref: 00414746
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                    • API String ID: 145871493-1506664499
                                                                                                                                    • Opcode ID: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
                                                                                                                                    • Instruction ID: 374e307410260eae357c848a0ac8b8d2ed108e4990ae0ebeecf0dac054c84ad8
                                                                                                                                    • Opcode Fuzzy Hash: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
                                                                                                                                    • Instruction Fuzzy Hash: B1D05B397005206BEA5167366C48FEF3A55EFC7B517154031F910D2261DB648C0285AD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004351F7, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                    • API String ID: 0-1953309616
                                                                                                                                    • Opcode ID: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
                                                                                                                                    • Instruction ID: aa3871157cb2c29edb2d7db9a5a62b5d9e1ddd85e1ada7e098d24c65e5f6a169
                                                                                                                                    • Opcode Fuzzy Hash: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
                                                                                                                                    • Instruction Fuzzy Hash: 60E1BF71E00209EFDB14DFA5D981AAEBBB5FF48304F10806AE805AB341DB78AD51CB95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00430EBE, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 00430F1A
                                                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 004310A5
                                                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430F42
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                    • API String ID: 3510742995-272990098
                                                                                                                                    • Opcode ID: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
                                                                                                                                    • Instruction ID: b4e089481029338f932d4991b26cccaedb5970869045d73953a00dcfe725fe6b
                                                                                                                                    • Opcode Fuzzy Hash: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
                                                                                                                                    • Instruction Fuzzy Hash: 10914B75A00209DFCB24DF59C480A9EBBF1FF48304F15819AE809AB312D739E942CF99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406A86, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memsetwcslen$wcscatwcscpy
                                                                                                                                    • String ID: nss3.dll
                                                                                                                                    • API String ID: 1250441359-2492180550
                                                                                                                                    • Opcode ID: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
                                                                                                                                    • Instruction ID: 1e34d79d1f5922d0320f8d763ab64a9784b47cc615ba08cf08abcfcfe76fb249
                                                                                                                                    • Opcode Fuzzy Hash: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
                                                                                                                                    • Instruction Fuzzy Hash: D511ECF290121D96EB10EB60DD49BC673BC9B15314F1004BBE60DF21C1FB79DA548A5D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040C181, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040C19C
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040C1AF
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040C1C2
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040C1D5
                                                                                                                                    • free.MSVCRT(00000000), ref: 0040C20E
                                                                                                                                      • Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??3@$free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2241099983-0
                                                                                                                                    • Opcode ID: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
                                                                                                                                    • Instruction ID: 1b724bf31a54a7cffb96c88967fdb5b0379f9a1dee2f65518d31c165403446cb
                                                                                                                                    • Opcode Fuzzy Hash: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
                                                                                                                                    • Instruction Fuzzy Hash: 6E01E532905A31D7D6257B7AA68151FB396BEC2710316026FF845BB2C38F3C6C414ADD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416DAA, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00416DB2
                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00416DD2
                                                                                                                                    • malloc.MSVCRT ref: 00416DD8
                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00416DF6
                                                                                                                                    • free.MSVCRT(?), ref: 00416DFF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4053608372-0
                                                                                                                                    • Opcode ID: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
                                                                                                                                    • Instruction ID: 7c4f126962bd8a7e2ff3a65b0fa2dbedc4b8b396d66bab6395f0ad674673df12
                                                                                                                                    • Opcode Fuzzy Hash: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
                                                                                                                                    • Instruction Fuzzy Hash: B501C8B550411DBF7F115FA5ECC1CFF7AACEA453E8721032AF414E2190D6348E405AB8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B60E, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetParent.USER32(?), ref: 0040B620
                                                                                                                                    • GetWindowRect.USER32 ref: 0040B62D
                                                                                                                                    • GetClientRect.USER32 ref: 0040B638
                                                                                                                                    • MapWindowPoints.USER32 ref: 0040B648
                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040B664
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                    • Opcode ID: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
                                                                                                                                    • Instruction ID: 46ce5f71d2b2052eec3e6930e994fa0a792d7dbc784fe0d7727ff2cdb1cfdf95
                                                                                                                                    • Opcode Fuzzy Hash: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
                                                                                                                                    • Instruction Fuzzy Hash: 9D014836401129BBDB119BA59C49EFFBFBCFF06755F04402AFD01A2181D77895028BA9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004442F9, Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00444324
                                                                                                                                    • memset.MSVCRT ref: 00444333
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00444356
                                                                                                                                      • Part of subcall function 004440EA: memchr.MSVCRT ref: 00444125
                                                                                                                                      • Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441C9
                                                                                                                                      • Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441DB
                                                                                                                                      • Part of subcall function 004440EA: memcpy.MSVCRT ref: 00444203
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0044435D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1471605966-0
                                                                                                                                    • Opcode ID: d675db4136e80266a2e6e489a5d886d4055744e95b8a0a787b2a16d9fa1a1fa5
                                                                                                                                    • Instruction ID: 37ddc15cde46eb5ec9a675e84f83cfdfb4636f792b79cf1c8c19bfac071e4967
                                                                                                                                    • Opcode Fuzzy Hash: d675db4136e80266a2e6e489a5d886d4055744e95b8a0a787b2a16d9fa1a1fa5
                                                                                                                                    • Instruction Fuzzy Hash: 64F0C8765006106AE2203732AC89F6B2B5C9FD6761F14043FF916911D2EE2C98148179
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040C11B, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??3@
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                    • Opcode ID: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
                                                                                                                                    • Instruction ID: ce0d416df33b84177c5a77da38496f7ed087613ba8a01eb08bd82b7dd0746caf
                                                                                                                                    • Opcode Fuzzy Hash: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
                                                                                                                                    • Instruction Fuzzy Hash: D0F049B25047018FE720AFA9E9C091BF3E9AB49714761093FF049D7682DB7CAC808A0C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D913, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040D937
                                                                                                                                    • memset.MSVCRT ref: 0040D94E
                                                                                                                                      • Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
                                                                                                                                      • Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A
                                                                                                                                    • _snwprintf.MSVCRT ref: 0040D97D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                    • String ID: </%s>
                                                                                                                                    • API String ID: 3400436232-259020660
                                                                                                                                    • Opcode ID: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
                                                                                                                                    • Instruction ID: 1f907657c5db402736beb96cf917ebbb27e5637f268f278bd00e4de1d3b551c4
                                                                                                                                    • Opcode Fuzzy Hash: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
                                                                                                                                    • Instruction Fuzzy Hash: A701D6B2D4022967E720A755CC45FEA776CEF45308F0400B6BB08B3181DB78DA458AA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B720, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                    • String ID: caption
                                                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                                                    • Opcode ID: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
                                                                                                                                    • Instruction ID: 685c7242f617fb3ba1e31657fb4388fb0a14aaa92a56732ea005dddfaa5a5635
                                                                                                                                    • Opcode Fuzzy Hash: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
                                                                                                                                    • Instruction Fuzzy Hash: B1F0AF369007186AFB20AB54DC4AB9A326CEB41705F4000B6FA04B71D2DBB8ED80CADC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004088A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileNameOpenwcscpy
                                                                                                                                    • String ID: X$xK@
                                                                                                                                    • API String ID: 3246554996-3735201224
                                                                                                                                    • Opcode ID: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
                                                                                                                                    • Instruction ID: b0b1e818a48a7f3500c0daa10f1625907e8ff6cd2dadba3970951ebcab59a6c3
                                                                                                                                    • Opcode Fuzzy Hash: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
                                                                                                                                    • Instruction Fuzzy Hash: 28015FB1D0064C9FDB41DFE9D8856CEBBF4AB09314F10802AE869F6240EB7495458F55
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040103E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004082B5: memset.MSVCRT ref: 004082BF
                                                                                                                                      • Part of subcall function 004082B5: wcscpy.MSVCRT ref: 004082FF
                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 0040105D
                                                                                                                                    • SendDlgItemMessageW.USER32 ref: 0040107C
                                                                                                                                    • SendDlgItemMessageW.USER32 ref: 0040109A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                    • API String ID: 210187428-168460110
                                                                                                                                    • Opcode ID: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
                                                                                                                                    • Instruction ID: 6a7807da2d6c22504d803769321e4de0e3b0b92c14fc4c1b5eee7474059f757a
                                                                                                                                    • Opcode Fuzzy Hash: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
                                                                                                                                    • Instruction Fuzzy Hash: 9EF08275A40B0877EA31ABA0DC06F9A77B9B740B41F000939F751B91D1D7F5A185CA98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040840D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassName_wcsicmpmemset
                                                                                                                                    • String ID: edit
                                                                                                                                    • API String ID: 2747424523-2167791130
                                                                                                                                    • Opcode ID: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
                                                                                                                                    • Instruction ID: 157984a491cfffbc22861ef67f020c4accef2e0f69a1167183a5ff10ddf0174f
                                                                                                                                    • Opcode Fuzzy Hash: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
                                                                                                                                    • Instruction Fuzzy Hash: A2E04872D9031D6AFB10ABA0DC4EFAD77ACAB01748F1001B5B915E10D3EBB896454B45
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004144AB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                    • API String ID: 2574300362-880857682
                                                                                                                                    • Opcode ID: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
                                                                                                                                    • Instruction ID: 5adcb90289d93a3714d1f61360fd38a26edcd17bcdb04c713309b7dc063e595c
                                                                                                                                    • Opcode Fuzzy Hash: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
                                                                                                                                    • Instruction Fuzzy Hash: 89D0C9BCD00304BFEB014F30AC8A70636A8B760BD7F10503AE001D1662EB78C1908B9C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041D1AF, Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memcmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3384217055-0
                                                                                                                                    • Opcode ID: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
                                                                                                                                    • Instruction ID: 09945ccab50a33f31b382fa22860e11bd1319c866f4a66b9fbc9fb0ddb64ce7b
                                                                                                                                    • Opcode Fuzzy Hash: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
                                                                                                                                    • Instruction Fuzzy Hash: 2C21A4B2E14248ABDB18DBA5DC45FDF73FCAB85704F10442AF511D7181EA38E644C724
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410212, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                    • Opcode ID: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
                                                                                                                                    • Instruction ID: ff146c4b72cd3461ea0581b3b06c61829aab73f766a4367807c7cf9141d7c205
                                                                                                                                    • Opcode Fuzzy Hash: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
                                                                                                                                    • Instruction Fuzzy Hash: 8C0128B1640B0066E2316B25CC07F5A73A4AFD2714F50061EF142666C2DFECE544815C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E5D7, Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004019F1: GetMenu.USER32(?), ref: 00401A0F
                                                                                                                                      • Part of subcall function 004019F1: GetSubMenu.USER32 ref: 00401A16
                                                                                                                                      • Part of subcall function 004019F1: EnableMenuItem.USER32 ref: 00401A2E
                                                                                                                                      • Part of subcall function 00401A38: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A4F
                                                                                                                                      • Part of subcall function 00401A38: SendMessageW.USER32(?,00000411,?,?), ref: 00401A73
                                                                                                                                    • GetMenu.USER32(?), ref: 0040E7C9
                                                                                                                                    • GetSubMenu.USER32 ref: 0040E7D6
                                                                                                                                    • GetSubMenu.USER32 ref: 0040E7D9
                                                                                                                                    • CheckMenuRadioItem.USER32 ref: 0040E7E5
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1889144086-0
                                                                                                                                    • Opcode ID: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
                                                                                                                                    • Instruction ID: 25cc4134299d990fe6d22a23efa4e99655f13f9d527333d0ba489a0a70db3f06
                                                                                                                                    • Opcode Fuzzy Hash: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
                                                                                                                                    • Instruction Fuzzy Hash: EF519071B40604BBEB20ABA6CD4AF8FBAB9EB44704F00056DB248B72E2C6756D50DB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004178F0, Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004179D3
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004179FE
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417A25
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00417A3B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1661045500-0
                                                                                                                                    • Opcode ID: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
                                                                                                                                    • Instruction ID: 2596ed0fad154ed29ebf4184e1ce6d35beb67abfb73833eacff1bbd48ddff306
                                                                                                                                    • Opcode Fuzzy Hash: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
                                                                                                                                    • Instruction Fuzzy Hash: 0A516EB02087019FEB14CF25C981AABB7F5FF84344F10592EE88287A51E734F994CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042E431, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004153D6: memset.MSVCRT ref: 004153F0
                                                                                                                                    • memcpy.MSVCRT ref: 0042E519
                                                                                                                                    Strings
                                                                                                                                    • Cannot add a column to a view, xrefs: 0042E486
                                                                                                                                    • sqlite_altertab_%s, xrefs: 0042E4EA
                                                                                                                                    • virtual tables may not be altered, xrefs: 0042E470
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpymemset
                                                                                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                    • API String ID: 1297977491-2063813899
                                                                                                                                    • Opcode ID: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
                                                                                                                                    • Instruction ID: bc03cdfccc2981246e0f5b9510b3d89990825f97592217a3aee3a84e95ce5e7f
                                                                                                                                    • Opcode Fuzzy Hash: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
                                                                                                                                    • Instruction Fuzzy Hash: E741B071A10215EFDB00DFA9D881A99B7F0FF48318F54815BE858DB352E778E990CB88
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00430484, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: $, $CREATE TABLE
                                                                                                                                    • API String ID: 3510742995-3459038510
                                                                                                                                    • Opcode ID: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
                                                                                                                                    • Instruction ID: 9113deda8d77e919ddbf50a6a1bf1eccfd02e82bbda2be63f83ad5433933bd3d
                                                                                                                                    • Opcode Fuzzy Hash: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
                                                                                                                                    • Instruction Fuzzy Hash: 1C518E71D00119EFDB10DF98C491AAFB7B5EF48318F20819BD945AB205E738AA45CF99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404AC0, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00404B07
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                      • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                      • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                      • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                      • Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
                                                                                                                                      • Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
                                                                                                                                      • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
                                                                                                                                      • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
                                                                                                                                      • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
                                                                                                                                      • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81
                                                                                                                                      • Part of subcall function 004088A0: GetOpenFileNameW.COMDLG32(?), ref: 004088E9
                                                                                                                                      • Part of subcall function 004088A0: wcscpy.MSVCRT ref: 004088F7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
                                                                                                                                    • String ID: *.*$dat$wand.dat
                                                                                                                                    • API String ID: 3589925243-1828844352
                                                                                                                                    • Opcode ID: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
                                                                                                                                    • Instruction ID: 189ab15ad594b46ceda1379ae2a6b1c5413d0dce04db73f13dfcb8633a17526e
                                                                                                                                    • Opcode Fuzzy Hash: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
                                                                                                                                    • Instruction Fuzzy Hash: 0841B771600205AFEF10EF61DD86ADE77B5FF40314F10802BFA05A71D2EB79A9958B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E482, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
                                                                                                                                      • Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB
                                                                                                                                    • wcslen.MSVCRT ref: 0040E4B0
                                                                                                                                    • _wtoi.MSVCRT ref: 0040E4BC
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040E50A
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040E51B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1549203181-0
                                                                                                                                    • Opcode ID: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
                                                                                                                                    • Instruction ID: a8ded69f91e0d7bf63f89fae3ec1b4bc8203dfd4cc2a8694f23455ab63246b5f
                                                                                                                                    • Opcode Fuzzy Hash: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
                                                                                                                                    • Instruction Fuzzy Hash: 06417131900204EFCF21DF9AC980A99B7B5EF48358F1548BAEC05EB396E738DA509B55
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406EB9, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 106COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpymemsetstrlen
                                                                                                                                    • String ID: Ap@$Ap@
                                                                                                                                    • API String ID: 160209724-724177859
                                                                                                                                    • Opcode ID: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
                                                                                                                                    • Instruction ID: e2bdeeadc1d90758f2de231e66b6cadccfeb655152d102dc9dd3295dcddd65f9
                                                                                                                                    • Opcode Fuzzy Hash: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
                                                                                                                                    • Instruction Fuzzy Hash: 10313371A042069BDB14DFA8AC80BAFB7B89F04310F1100BEE916F72C1DB78DA518769
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040F843, Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040F882
                                                                                                                                      • Part of subcall function 004087A4: ShellExecuteW.SHELL32(?,open,?,Function_0004552C,Function_0004552C,00000005), ref: 004087BA
                                                                                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040F8F2
                                                                                                                                    • GetMenuStringW.USER32 ref: 0040F90C
                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0040F938
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3550944819-0
                                                                                                                                    • Opcode ID: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
                                                                                                                                    • Instruction ID: 0cce36cd3d59050ebbb4ae1468268e07e9567f629d0a6bc52b2b72a07dc00bda
                                                                                                                                    • Opcode Fuzzy Hash: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
                                                                                                                                    • Instruction Fuzzy Hash: 7041C375500305EBDB30AF15CC88B9673B4EF50325F10857AE9686BAE2C7B8AD89CB14
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040CD44, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$free
                                                                                                                                    • String ID: Z6@
                                                                                                                                    • API String ID: 2888793982-1638572689
                                                                                                                                    • Opcode ID: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
                                                                                                                                    • Instruction ID: 1cd3d00781b25d2b94616f77ccd2c248328d95a28ed1044bfffefbc926401994
                                                                                                                                    • Opcode Fuzzy Hash: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
                                                                                                                                    • Instruction Fuzzy Hash: EB219034500605EFCB60DF29C98185ABBF6FF84314720467EE852E3790E739EE019B44
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410174, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: @
                                                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                                                    • Opcode ID: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
                                                                                                                                    • Instruction ID: 2b976a00fcfd181f23c33ae21356c60783d23841694cc8dee0d8ac2aa3eeffc6
                                                                                                                                    • Opcode Fuzzy Hash: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
                                                                                                                                    • Instruction Fuzzy Hash: EA112BB29003057BDB249F15D884DEA77A9EBA0344700062FFD0696251F6BDDED9C7D8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040943C, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                    • Opcode ID: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
                                                                                                                                    • Instruction ID: d0afff18851916bdc62762cc26ce26f97abfa6c0527030a4abc257fe2447681f
                                                                                                                                    • Opcode Fuzzy Hash: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
                                                                                                                                    • Instruction Fuzzy Hash: 2F114F712046019FE328DF1DC881A27F7E5EFD9304B21892EE59A97386DB39E802CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413D78, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00413DA4
                                                                                                                                      • Part of subcall function 004089E1: _snwprintf.MSVCRT ref: 00408A26
                                                                                                                                      • Part of subcall function 004089E1: memcpy.MSVCRT ref: 00408A36
                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00413DCD
                                                                                                                                    • memset.MSVCRT ref: 00413DD7
                                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00413DF9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1127616056-0
                                                                                                                                    • Opcode ID: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
                                                                                                                                    • Instruction ID: e0c1f09ad2cb5d60bcfcc92858fd4079171207d9a16d9363f081e68af551c4db
                                                                                                                                    • Opcode Fuzzy Hash: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
                                                                                                                                    • Instruction Fuzzy Hash: 4D1165B2500129BFEF11AF64DC06EDE7B79EF44711F10006AFB05B2151EA359A608F9D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004146B4, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 004146C4
                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 004146F6
                                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0041470A
                                                                                                                                    • wcscpy.MSVCRT ref: 0041471D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3917621476-0
                                                                                                                                    • Opcode ID: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
                                                                                                                                    • Instruction ID: 097f193ff7923ae7587a5e446372f032271e9f174675921af37de08819f90ac7
                                                                                                                                    • Opcode Fuzzy Hash: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
                                                                                                                                    • Instruction Fuzzy Hash: EC11FAB5900208AFDB00DFA9D988AEEB7FCFB49304F10406AE515E7240D738DB45CB64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042F6EF, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                    • String ID: sqlite_master
                                                                                                                                    • API String ID: 438689982-3163232059
                                                                                                                                    • Opcode ID: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
                                                                                                                                    • Instruction ID: df29f02e372fce164f73cef38905b10b73feda933693282389fd2907aeed520f
                                                                                                                                    • Opcode Fuzzy Hash: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
                                                                                                                                    • Instruction Fuzzy Hash: 8B01F572900618BAEB11BBA0CC42FDEB77DFF45315F50005AF60062042DB79AA148B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E7F0, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                      • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                      • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                    • _snwprintf.MSVCRT ref: 0040E81D
                                                                                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040E882
                                                                                                                                      • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                    • _snwprintf.MSVCRT ref: 0040E848
                                                                                                                                    • wcscat.MSVCRT ref: 0040E85B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 822687973-0
                                                                                                                                    • Opcode ID: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
                                                                                                                                    • Instruction ID: fc9a9cbfa579f1f3c21001c0e8c570231a458ca756af8d40dec707b0d2905b79
                                                                                                                                    • Opcode Fuzzy Hash: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
                                                                                                                                    • Instruction Fuzzy Hash: 540188B650070466F720F7A6DC86FAB73ACDB80704F14047AB719F21C2D679A9514A6D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416D4F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74785970,?,00416E7A,?), ref: 00416D6D
                                                                                                                                    • malloc.MSVCRT ref: 00416D74
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74785970,?,00416E7A,?), ref: 00416D93
                                                                                                                                    • free.MSVCRT(00000000,?,74785970,?,00416E7A,?), ref: 00416D9A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                    • Opcode ID: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
                                                                                                                                    • Instruction ID: bcab52b9ccbc4c9bc02d63d2584d5636d902a6cb4a382b6ea3df8204de1a5a00
                                                                                                                                    • Opcode Fuzzy Hash: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
                                                                                                                                    • Instruction Fuzzy Hash: 9DF089B260E22D7F7B102A75ACC0D7BBB9CDB862FDB21072FF514A1190D9199C015675
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004081EA, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 004081F8
                                                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00408210
                                                                                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00408226
                                                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00408249
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Item
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3888421826-0
                                                                                                                                    • Opcode ID: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
                                                                                                                                    • Instruction ID: eb915db23c4b1ca38ea3c1988d88bb83aba39799d6a265b66449fd7df9afb7a9
                                                                                                                                    • Opcode Fuzzy Hash: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
                                                                                                                                    • Instruction Fuzzy Hash: 10F06975A0050CBFDB018F948E81CAFBBB9EB49784B2000BAF504E6150D6709E01AA61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417479, Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00417496
                                                                                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004174B6
                                                                                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004174C2
                                                                                                                                    • GetLastError.KERNEL32 ref: 004174D0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3727323765-0
                                                                                                                                    • Opcode ID: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
                                                                                                                                    • Instruction ID: 68256e963451342af1775745e88af25fe573ff9f394a0ba2c0bbd214266e5fb2
                                                                                                                                    • Opcode Fuzzy Hash: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
                                                                                                                                    • Instruction Fuzzy Hash: 7701F435504608BFDB219FA0DC84D9B7FBCFB80705F20843AF942D6050D6349984CB74
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00401C43, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00401C64
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                    • wcslen.MSVCRT ref: 00401C7D
                                                                                                                                    • wcslen.MSVCRT ref: 00401C8B
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
                                                                                                                                    • String ID: Apple Computer\Preferences\keychain.plist
                                                                                                                                    • API String ID: 3183857889-296063946
                                                                                                                                    • Opcode ID: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
                                                                                                                                    • Instruction ID: eecd7d3c3de4f02ea7dbe6204318003872b6068ab845989257e2c34d03a92ed5
                                                                                                                                    • Opcode Fuzzy Hash: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
                                                                                                                                    • Instruction Fuzzy Hash: 08F0F9B250531866FB20A755DC8AFDA73AC9F01314F2001B7E914E20C3FB7CD944469D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040CEF9, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040CF1E
                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00445ADC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040CF37
                                                                                                                                    • strlen.MSVCRT ref: 0040CF49
                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040CF5A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                    • Opcode ID: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
                                                                                                                                    • Instruction ID: 14800c8a4aa59548f5ab429dc5ca7c2185fd5422b2c87da3b8dfa48c6c6ad4f5
                                                                                                                                    • Opcode Fuzzy Hash: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
                                                                                                                                    • Instruction Fuzzy Hash: 13F01DB780122CBFFB059B94DCC9EEB776CDB09254F0001A6B709E2052DA749E448BB8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040CE8A, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040CEAF
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040CECC
                                                                                                                                    • strlen.MSVCRT ref: 0040CEDE
                                                                                                                                    • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040CEEF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                    • Opcode ID: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
                                                                                                                                    • Instruction ID: 5ca945b9895027beb3426ea3ebb999d168a71141a618eb4a8136c4c05ef02c5a
                                                                                                                                    • Opcode Fuzzy Hash: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
                                                                                                                                    • Instruction Fuzzy Hash: 40F062B680152C7FEB81A794DC81EEB776CEB05258F0041B2B749D2041DD349E084F7C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413A55, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040840D: memset.MSVCRT ref: 0040842C
                                                                                                                                      • Part of subcall function 0040840D: GetClassNameW.USER32 ref: 00408443
                                                                                                                                      • Part of subcall function 0040840D: _wcsicmp.MSVCRT ref: 00408455
                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00413A7C
                                                                                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 00413A8A
                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00413A98
                                                                                                                                    • GetStockObject.GDI32(00000000), ref: 00413AA0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 764393265-0
                                                                                                                                    • Opcode ID: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
                                                                                                                                    • Instruction ID: 110bd5b637e4d79b17592fdcf208372bccb43cad252910099e33a416a39d1a4b
                                                                                                                                    • Opcode Fuzzy Hash: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
                                                                                                                                    • Instruction Fuzzy Hash: 4DF0C839100208BBCF216F60DC05ACE3F21AF05362F104136F914541F2CB759A90DB4C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408D10, Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408D2C
                                                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 00408D3C
                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00408D4B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Time$System$File$LocalSpecific
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 979780441-0
                                                                                                                                    • Opcode ID: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
                                                                                                                                    • Instruction ID: ec3377692345dfa8f7b5f00acb1c953adbf394747b85e28386a557f9ea6599fc
                                                                                                                                    • Opcode Fuzzy Hash: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
                                                                                                                                    • Instruction Fuzzy Hash: F4F05E769005199BEF119BA0DC49BBFB3FCBF1670AF008529E052E1090DB74D0048B64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004116B2, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1386444988-0
                                                                                                                                    • Opcode ID: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
                                                                                                                                    • Instruction ID: a5b74f8db5ede7a3d830d9ef30c1a68d0a9fd07d2d047c5f1f3455979569a65d
                                                                                                                                    • Opcode Fuzzy Hash: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
                                                                                                                                    • Instruction Fuzzy Hash: 6CF08231680710BBE751AF68BC06F467A90A786B93F200427F700A51E2D2F98591CB9C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404C2D, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 00404C44
                                                                                                                                      • Part of subcall function 0041473D: LoadLibraryW.KERNEL32(shlwapi.dll,770B48C0,?,00404C4C,00000000), ref: 00414746
                                                                                                                                      • Part of subcall function 0041473D: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
                                                                                                                                      • Part of subcall function 0041473D: FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C
                                                                                                                                    • GetDlgItem.USER32 ref: 00404C56
                                                                                                                                    • GetDlgItem.USER32 ref: 00404C68
                                                                                                                                    • GetDlgItem.USER32 ref: 00404C7A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Item$Library$AddressFreeLoadProc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2406072140-0
                                                                                                                                    • Opcode ID: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
                                                                                                                                    • Instruction ID: 228af19f1fcbab99cdef25afc198749965fa335a60b9bcf03d324973c33eddf9
                                                                                                                                    • Opcode Fuzzy Hash: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
                                                                                                                                    • Instruction Fuzzy Hash: C1F01CB54047016BDA313F72CC09D5BBAADEFC1318F020D3EB1A1661E1CBBD94428A58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040CF98, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcschr.MSVCRT ref: 0040CFDA
                                                                                                                                    • wcschr.MSVCRT ref: 0040CFE8
                                                                                                                                      • Part of subcall function 00408FA6: wcslen.MSVCRT ref: 00408FC2
                                                                                                                                      • Part of subcall function 00408FA6: memcpy.MSVCRT ref: 00408FE5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                                                    • String ID: "
                                                                                                                                    • API String ID: 1983396471-123907689
                                                                                                                                    • Opcode ID: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
                                                                                                                                    • Instruction ID: cb92cf76e860540842cf0149dc84745c0fdf0d5674f0ab6313b6b46cd67416c3
                                                                                                                                    • Opcode Fuzzy Hash: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
                                                                                                                                    • Instruction Fuzzy Hash: 5331B371904104EFDF10EFA5D8419EEB7B5EF44328F20416FE854B71C2DB7C9A468A58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408BAA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpywcschr
                                                                                                                                    • String ID: ZD
                                                                                                                                    • API String ID: 2424118378-3587482827
                                                                                                                                    • Opcode ID: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
                                                                                                                                    • Instruction ID: bc5ff3c8a32915e0c271f67cda952c5327785ed0a9ceb032124e0645629a4555
                                                                                                                                    • Opcode Fuzzy Hash: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
                                                                                                                                    • Instruction Fuzzy Hash: 6B21D372815615AFEB259F18C6809BA73B4EB55354B10003FECC1E73D1EF78EC9186A8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A19F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8
                                                                                                                                    • _memicmp.MSVCRT ref: 0040A1B9
                                                                                                                                    • memcpy.MSVCRT ref: 0040A1D0
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                                                                                    • String ID: URL
                                                                                                                                    • API String ID: 2108176848-3574463123
                                                                                                                                    • Opcode ID: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
                                                                                                                                    • Instruction ID: 99369b2f7b4a62638f95efb923bbf95607b210eae314fb40be60fbcdcdd136bc
                                                                                                                                    • Opcode Fuzzy Hash: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
                                                                                                                                    • Instruction Fuzzy Hash: 8E11E371200304BBEB11DF65CC05F5F7BA8AF91348F00407AF904AB391EA39DA20C7A6
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004089E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                                                    • String ID: %2.2X
                                                                                                                                    • API String ID: 2789212964-323797159
                                                                                                                                    • Opcode ID: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
                                                                                                                                    • Instruction ID: da81b6977c0b6fb050ee50f61be4767a81b1db5370a865e3ffb8ab5306406039
                                                                                                                                    • Opcode Fuzzy Hash: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
                                                                                                                                    • Instruction Fuzzy Hash: D311A132A00208BFEB40DFE8C986AAF73B8FB45714F10843BED55E7141D6789A558F95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004174E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,004176FC,?,00000000), ref: 00417518
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00417524
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseFileHandleUnmapView
                                                                                                                                    • String ID: NA
                                                                                                                                    • API String ID: 2381555830-2562218444
                                                                                                                                    • Opcode ID: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
                                                                                                                                    • Instruction ID: 5a1a322b0db6f4624e604a7b594929ce6c45ce98bd99ef11bc86fd7bf5bcef0d
                                                                                                                                    • Opcode Fuzzy Hash: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
                                                                                                                                    • Instruction Fuzzy Hash: 7D11BF36504B10EFC7329F28D944A9777F5FF40752B40092EE94296A61D738F981CB58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040AE5E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                      • Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 0040907D
                                                                                                                                      • Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 004090A2
                                                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC
                                                                                                                                      • Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                    • String ID: {@
                                                                                                                                    • API String ID: 2445788494-1579578673
                                                                                                                                    • Opcode ID: c255d9c27d1defa37b3e30fcff96da51efc1fad4c64b69bf173537adafc66d1e
                                                                                                                                    • Instruction ID: c5e992bc26eaba96ccce0a59eaf6c8ec24c3530ff69697df2342695e73c728e4
                                                                                                                                    • Opcode Fuzzy Hash: c255d9c27d1defa37b3e30fcff96da51efc1fad4c64b69bf173537adafc66d1e
                                                                                                                                    • Instruction Fuzzy Hash: A1113376804208AFCB01AF69DC45CDA7B78EE05364751C27BF515A7192D6349E04CBA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D1F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintf
                                                                                                                                    • String ID: %%-%d.%ds
                                                                                                                                    • API String ID: 3988819677-2008345750
                                                                                                                                    • Opcode ID: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
                                                                                                                                    • Instruction ID: fa2a5c48b8b1081f9110b67312fe06c807ccf1e61c825d072a06322f14435401
                                                                                                                                    • Opcode Fuzzy Hash: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
                                                                                                                                    • Instruction Fuzzy Hash: 2D01B171600304AFD711EF69CC82E5ABBA9FF8C714B10442EFD46A7292C679F851CB64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408907, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileNameSavewcscpy
                                                                                                                                    • String ID: X
                                                                                                                                    • API String ID: 3080202770-3081909835
                                                                                                                                    • Opcode ID: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
                                                                                                                                    • Instruction ID: 302039dcaac94884f1c4397820c578514485f3c1708042d42c96f5da00a98a83
                                                                                                                                    • Opcode Fuzzy Hash: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
                                                                                                                                    • Instruction Fuzzy Hash: 3301D3B1E002499FDF01DFE9D9847AEBBF4AB08319F10402EE855E6280DB789949CF55
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408FFD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memicmpwcslen
                                                                                                                                    • String ID: History
                                                                                                                                    • API String ID: 1872909662-3892791767
                                                                                                                                    • Opcode ID: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
                                                                                                                                    • Instruction ID: 6d3e5e79fb5ba3dc045185e0f7d8bb4044f56437cf7f7bc11c2c4fdfd27bba80
                                                                                                                                    • Opcode Fuzzy Hash: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
                                                                                                                                    • Instruction Fuzzy Hash: D1F0A4721086019BD210EA298841A6BF7E8DB923A8F11053FF89192283DB3DDC5586A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BF8E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040BFA6
                                                                                                                                    • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040BFD5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                    • String ID: "
                                                                                                                                    • API String ID: 568519121-123907689
                                                                                                                                    • Opcode ID: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
                                                                                                                                    • Instruction ID: 52ec7358bf223f21f0f54ed804b07356b6d9a4f052c0f3137058475af9765f6b
                                                                                                                                    • Opcode Fuzzy Hash: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
                                                                                                                                    • Instruction Fuzzy Hash: 66016D75900206ABDB209F5ACC45EAFB7F8FF85745F00802AE855E7281E7349945CF79
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004018F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetWindowPlacement.USER32(?,?,?,?,?,0040F3B0,?,General,?,?,?,?,?,00000000,00000001), ref: 0040191D
                                                                                                                                    • memset.MSVCRT ref: 00401930
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PlacementWindowmemset
                                                                                                                                    • String ID: WinPos
                                                                                                                                    • API String ID: 4036792311-2823255486
                                                                                                                                    • Opcode ID: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
                                                                                                                                    • Instruction ID: ca976ba5ed3f83ef93de4c78b9b818d0dc8f3eea61e23acacabb71661926745e
                                                                                                                                    • Opcode Fuzzy Hash: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
                                                                                                                                    • Instruction Fuzzy Hash: 9AF012B0600205EFEB14DF95D899F5A77A8EF04700F54017AF90ADB2D1DBB89900CB69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BC29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040BC4D
                                                                                                                                    • LoadStringW.USER32(X1E,00000000,?,00001000), ref: 0040BC65
                                                                                                                                      • Part of subcall function 0040B93B: memset.MSVCRT ref: 0040B94E
                                                                                                                                      • Part of subcall function 0040B93B: _itow.MSVCRT ref: 0040B95C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$LoadString_itow
                                                                                                                                    • String ID: X1E
                                                                                                                                    • API String ID: 2363904170-1560614071
                                                                                                                                    • Opcode ID: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
                                                                                                                                    • Instruction ID: f380a03a7eecdd41986674abf89776040d4e37bafc66abb46cfa381fa5204df8
                                                                                                                                    • Opcode Fuzzy Hash: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
                                                                                                                                    • Instruction Fuzzy Hash: 71F082729013286AF720AB459D4AFDB776CDF05744F00007ABB08E5192DB349A40C7ED
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B93B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040B94E
                                                                                                                                    • _itow.MSVCRT ref: 0040B95C
                                                                                                                                      • Part of subcall function 0040B8C2: memset.MSVCRT ref: 0040B8E7
                                                                                                                                      • Part of subcall function 0040B8C2: GetPrivateProfileStringW.KERNEL32 ref: 0040B90F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$PrivateProfileString_itow
                                                                                                                                    • String ID: X1E
                                                                                                                                    • API String ID: 1482724422-1560614071
                                                                                                                                    • Opcode ID: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
                                                                                                                                    • Instruction ID: c527bd8864a1e8dc9924cbacd4c6e7ae812da0d58d0774c54ed9ac8dc2116314
                                                                                                                                    • Opcode Fuzzy Hash: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
                                                                                                                                    • Instruction Fuzzy Hash: EDE0BFB294021CB6EF11BFA1CC46F9D77ACBB14748F004025FA05A51D1E7B8E6598759
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BE89, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                    • wcsrchr.MSVCRT ref: 0040BE92
                                                                                                                                    • wcscat.MSVCRT ref: 0040BEA8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                    • String ID: _lng.ini
                                                                                                                                    • API String ID: 383090722-1948609170
                                                                                                                                    • Opcode ID: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
                                                                                                                                    • Instruction ID: 84d8fe8025816c60ed5f34aa0efad718bb16e503e766276e22ad5a10aaf03d01
                                                                                                                                    • Opcode Fuzzy Hash: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
                                                                                                                                    • Instruction Fuzzy Hash: EDC01262586A20A4F622B622AE03B8A02888F52308F25006FFD00341C2EFAC561180EE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042B269, Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                    • Opcode ID: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
                                                                                                                                    • Instruction ID: 5583aac8f3c8c6829f169dedbb5c7f3bc80267d871db847419cec400d03eb5c0
                                                                                                                                    • Opcode Fuzzy Hash: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
                                                                                                                                    • Instruction Fuzzy Hash: A551B375A00215EBDF14DF55D882BAEBB75FF04340F54805AED04A6252E7789E50CBE8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040C05B, Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                    • Opcode ID: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
                                                                                                                                    • Instruction ID: 98264c0c01cbe32efcdb0ac77575e239005db210b2699cda7c9871cbaaee01ad
                                                                                                                                    • Opcode Fuzzy Hash: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
                                                                                                                                    • Instruction Fuzzy Hash: 4B21B5B0A11700CFD7518F6A8485A16FAE8FF95310B26C9AFD159DB6B2D7B8C440CF14
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408DC5, Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcslen.MSVCRT ref: 00408DD7
                                                                                                                                      • Part of subcall function 004080AC: malloc.MSVCRT ref: 004080C8
                                                                                                                                      • Part of subcall function 004080AC: memcpy.MSVCRT ref: 004080E0
                                                                                                                                      • Part of subcall function 004080AC: free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9
                                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                    • memcpy.MSVCRT ref: 00408E44
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 726966127-0
                                                                                                                                    • Opcode ID: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
                                                                                                                                    • Instruction ID: da9404a03362d95f45f68813529404a67aab342ff110b4c830d245a8fa10e0ef
                                                                                                                                    • Opcode Fuzzy Hash: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
                                                                                                                                    • Instruction Fuzzy Hash: 7B214F71100604EFD730DF18D98199AB3F5FF853247118A2EF8A69B6E1CB39A915CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416CFF, Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,0041767E,?,?,0041767E,00417A93,00000000,?,00417D00,?,00000000), ref: 00416D1A
                                                                                                                                    • malloc.MSVCRT ref: 00416D22
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D39
                                                                                                                                    • free.MSVCRT(00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D40
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                    • Opcode ID: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
                                                                                                                                    • Instruction ID: b9117e17fd0dd3e97e5004a4b09ed95055046f94a1a1b3665f6ad504cf0e37ce
                                                                                                                                    • Opcode Fuzzy Hash: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
                                                                                                                                    • Instruction Fuzzy Hash: DAF0377620521E7BE6102565AC40E77779CEB86276B21072BBD10E65D1ED59EC0046B4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Analysis Process: vbc.exe PID: 6436 Parent PID: 6996 vbc.exeCOMMON

                                                                                                                                    Executed Functions

                                                                                                                                    Function 0040978A, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 004097B2
                                                                                                                                      • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                      • Part of subcall function 004118EA: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
                                                                                                                                      • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992
                                                                                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004098B7
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004098CA
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004098DD
                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 004098F1
                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00409937
                                                                                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00409946
                                                                                                                                    • memset.MSVCRT ref: 00409964
                                                                                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00409997
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004099B7
                                                                                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 004099F7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                                                                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                    • API String ID: 594330280-3398334509
                                                                                                                                    • Opcode ID: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
                                                                                                                                    • Instruction ID: 2b0fa152ef01bef0fcdaafddb1ab82311fd8af30ec04a4c20003f9f52c8fe1fb
                                                                                                                                    • Opcode Fuzzy Hash: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
                                                                                                                                    • Instruction Fuzzy Hash: 7B815E71900219EFEF10EF95C885AAEBBB5FF44305F20806EF905B6292D7399E41CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040938F, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00412880,*.*,?), ref: 004093A5
                                                                                                                                    • FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00412880,*.*,?), ref: 004093C3
                                                                                                                                    • wcslen.MSVCRT ref: 004093F3
                                                                                                                                    • wcslen.MSVCRT ref: 004093FB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFindwcslen$FirstNext
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2163959949-0
                                                                                                                                    • Opcode ID: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
                                                                                                                                    • Instruction ID: fe44496fd245f22b3294f1be8fcbf5b62ffed3b59158e7af3f9261faba672c79
                                                                                                                                    • Opcode Fuzzy Hash: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
                                                                                                                                    • Instruction Fuzzy Hash: CA11E97240A7019FD7149B64E884A9B73DCEF45324F204A3FF459E31C1EB78AC008718
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00411E4C, Relevance: 104.0, APIs: 43, Strings: 16, Instructions: 752COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00411EC2
                                                                                                                                    • wcsrchr.MSVCRT ref: 00411EDB
                                                                                                                                    • memset.MSVCRT ref: 0041202F
                                                                                                                                      • Part of subcall function 0040A94C: _wcslwr.MSVCRT ref: 0040AA14
                                                                                                                                      • Part of subcall function 0040A94C: wcslen.MSVCRT ref: 0040AA29
                                                                                                                                      • Part of subcall function 0040956D: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
                                                                                                                                      • Part of subcall function 0040956D: wcslen.MSVCRT ref: 004095CC
                                                                                                                                      • Part of subcall function 0040956D: wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
                                                                                                                                      • Part of subcall function 0040956D: memset.MSVCRT ref: 00409679
                                                                                                                                      • Part of subcall function 0040956D: memcpy.MSVCRT ref: 0040969A
                                                                                                                                      • Part of subcall function 0040ADD0: LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
                                                                                                                                      • Part of subcall function 0040ADD0: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4
                                                                                                                                      • Part of subcall function 004444B7: memcmp.MSVCRT ref: 0044455D
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F6A
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F7F
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F94
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410FA9
                                                                                                                                      • Part of subcall function 00410F47: memset.MSVCRT ref: 00410FBE
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FE4
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FF5
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041102D
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041103B
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411074
                                                                                                                                      • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411082
                                                                                                                                    • memset.MSVCRT ref: 0041204B
                                                                                                                                    • memset.MSVCRT ref: 00412061
                                                                                                                                    • memset.MSVCRT ref: 0041207D
                                                                                                                                    • wcslen.MSVCRT ref: 004120C4
                                                                                                                                    • wcslen.MSVCRT ref: 004120D1
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,?,00000104), ref: 004121C5
                                                                                                                                    • memset.MSVCRT ref: 0041217E
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 004079D1
                                                                                                                                      • Part of subcall function 00407991: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A23
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A3B
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A53
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A6B
                                                                                                                                      • Part of subcall function 00407991: memset.MSVCRT ref: 00407A83
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A8E
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A9C
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407ACB
                                                                                                                                    • memset.MSVCRT ref: 00412241
                                                                                                                                    • memset.MSVCRT ref: 0041225B
                                                                                                                                    • wcslen.MSVCRT ref: 00412275
                                                                                                                                    • wcslen.MSVCRT ref: 00412283
                                                                                                                                    • memset.MSVCRT ref: 004122FD
                                                                                                                                    • memset.MSVCRT ref: 00412317
                                                                                                                                    • wcslen.MSVCRT ref: 00412331
                                                                                                                                    • wcslen.MSVCRT ref: 0041233F
                                                                                                                                    • memset.MSVCRT ref: 004123C2
                                                                                                                                    • memset.MSVCRT ref: 004123E0
                                                                                                                                    • memset.MSVCRT ref: 004123FE
                                                                                                                                    • memset.MSVCRT ref: 00412573
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407AD9
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B08
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B16
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B45
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B53
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B82
                                                                                                                                      • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B90
                                                                                                                                      • Part of subcall function 00407991: SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB
                                                                                                                                    • wcslen.MSVCRT ref: 0041245B
                                                                                                                                    • wcslen.MSVCRT ref: 00412469
                                                                                                                                    • wcslen.MSVCRT ref: 004124AF
                                                                                                                                    • wcslen.MSVCRT ref: 004124BD
                                                                                                                                    • wcslen.MSVCRT ref: 00412503
                                                                                                                                    • wcslen.MSVCRT ref: 00412511
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004125DA
                                                                                                                                      • Part of subcall function 004442F9: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
                                                                                                                                      • Part of subcall function 004442F9: ??2@YAPAXI@Z.MSVCRT ref: 00444324
                                                                                                                                      • Part of subcall function 004442F9: memset.MSVCRT ref: 00444333
                                                                                                                                      • Part of subcall function 004442F9: ??3@YAXPAX@Z.MSVCRT ref: 00444356
                                                                                                                                      • Part of subcall function 004442F9: CloseHandle.KERNEL32(00000000), ref: 0044435D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memset$??2@??3@AddressByteCharCloseCredCurrentDirectoryEnumerateEnvironmentExpandFileHandleLibraryLoadMultiProcSizeStringsWide_wcsicmp_wcslwrmemcmpmemcpywcsncmpwcsrchr
                                                                                                                                    • String ID: %programfiles%\Sea Monkey$*.*$Chromium\User Data$Data\Profile$Google\Chrome SxS\User Data$Google\Chrome\User Data$Login Data$Opera$Opera Software\Opera Stable\Login Data$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$Vivaldi\User Data\Default\Login Data$Yandex\YandexBrowser\User Data\Default\Login Data$wand.dat
                                                                                                                                    • API String ID: 2195781745-1743926287
                                                                                                                                    • Opcode ID: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
                                                                                                                                    • Instruction ID: 7a0d4c8da9719b4bd57d9e34dd235b5097b77d6fd782259e08ea59ad0a0aa82b
                                                                                                                                    • Opcode Fuzzy Hash: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
                                                                                                                                    • Instruction Fuzzy Hash: 774293B2509344ABD720EBA5D985BDBB3ECBF84304F01092FF588D3191EBB8D545879A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FF55, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00403C8C: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
                                                                                                                                      • Part of subcall function 00403C8C: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
                                                                                                                                      • Part of subcall function 00403C8C: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
                                                                                                                                      • Part of subcall function 00403C8C: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC
                                                                                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF81
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00414266,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF9A
                                                                                                                                    • EnumResourceTypesW.KERNEL32 ref: 0040FFA1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                                                                                    • API String ID: 2744995895-28296030
                                                                                                                                    • Opcode ID: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
                                                                                                                                    • Instruction ID: 58268879d1a8d32d9d01966b45afca8998e7ac275f8ef3c48d75c103cdcc3135
                                                                                                                                    • Opcode Fuzzy Hash: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
                                                                                                                                    • Instruction Fuzzy Hash: A8518F71508745AFDB20AFA2DC49A9FB7A8FF45344F40083EF684E2152DB79D8848B5A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409CB0, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED
                                                                                                                                      • Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7
                                                                                                                                    • free.MSVCRT(00000000), ref: 00409E9F
                                                                                                                                      • Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E
                                                                                                                                    • memset.MSVCRT ref: 00409D85
                                                                                                                                      • Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
                                                                                                                                      • Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75
                                                                                                                                    • wcschr.MSVCRT ref: 00409DBD
                                                                                                                                    • memcpy.MSVCRT ref: 00409DF1
                                                                                                                                    • memcpy.MSVCRT ref: 00409E0C
                                                                                                                                    • memcpy.MSVCRT ref: 00409E27
                                                                                                                                    • memcpy.MSVCRT ref: 00409E42
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                    • API String ID: 3849927982-2252543386
                                                                                                                                    • Opcode ID: 25591710af33cd07455ce6db1f3b2dc3e075db32bc947d0e32b1a7c168253070
                                                                                                                                    • Instruction ID: 4efc6fce7ce7295637414d4ef923d95a635c1e3a2e0485d2030de31f1e6ccd1f
                                                                                                                                    • Opcode Fuzzy Hash: 25591710af33cd07455ce6db1f3b2dc3e075db32bc947d0e32b1a7c168253070
                                                                                                                                    • Instruction Fuzzy Hash: 4051FE71D40209ABEB50EFA5DC45B9EB7B8AF54304F15403BB504B72D2EB78AD048B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004443B0, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                    • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                                    • API String ID: 2238633743-2107673790
                                                                                                                                    • Opcode ID: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
                                                                                                                                    • Instruction ID: bae3ddfd5a2cf1e2657d78bbfe85c411ed61fca9aeaa9a4901361c1bc58423a9
                                                                                                                                    • Opcode Fuzzy Hash: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
                                                                                                                                    • Instruction Fuzzy Hash: 5201E874940B44EFEB306F71CD09E07BAE4EF94B117118D2EE49A92A10D778E818CE54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040299E, Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 250fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 004029C4
                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004029DB
                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 004029FC
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00402A07
                                                                                                                                    • memset.MSVCRT ref: 00402A20
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 00402C96
                                                                                                                                      • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                      • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                      • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                    • memset.MSVCRT ref: 00402A95
                                                                                                                                      • Part of subcall function 00408C93: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,000003FF,000003FF,00402B19,?,?,000003FF,00000000), ref: 00408CA5
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000000FF), ref: 00402B6E
                                                                                                                                      • Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                      • Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                      • Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                    • memset.MSVCRT ref: 00402BF7
                                                                                                                                    • memcpy.MSVCRT ref: 00402C0A
                                                                                                                                    • MultiByteToWideChar.KERNEL32 ref: 00402C31
                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00402C3A
                                                                                                                                    Strings
                                                                                                                                    • SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402A61
                                                                                                                                    • chp, xrefs: 004029E6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Filememset$ByteCharMultiWide$FreeLibraryTemp$AddressChangeCloseCopyCreateDeleteDirectoryFindLoadLocalNameNotificationPathProcWindowsmemcpy
                                                                                                                                    • String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
                                                                                                                                    • API String ID: 1340729801-1844170479
                                                                                                                                    • Opcode ID: 81020742f08cd979592eeacad5d893b131c1d3e65ead4c73e8d07300279ec837
                                                                                                                                    • Instruction ID: 12325825b01e7d439ee1a457c4e284e7a4c6ca08c5b0c0223ff6c3e9a84d8d63
                                                                                                                                    • Opcode Fuzzy Hash: 81020742f08cd979592eeacad5d893b131c1d3e65ead4c73e8d07300279ec837
                                                                                                                                    • Instruction Fuzzy Hash: 61819172D00128ABDB11EBA5DC85AEE7778EF44314F1404BAF618F7291DB785F448B68
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409A23, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040978A: memset.MSVCRT ref: 004097B2
                                                                                                                                      • Part of subcall function 0040978A: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
                                                                                                                                      • Part of subcall function 0040978A: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
                                                                                                                                      • Part of subcall function 0040978A: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
                                                                                                                                      • Part of subcall function 0040978A: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
                                                                                                                                      • Part of subcall function 0040978A: _wcsicmp.MSVCRT ref: 004098B7
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
                                                                                                                                    • DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00409AC4
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
                                                                                                                                      • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                      • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                      • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                      • Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                    • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
                                                                                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
                                                                                                                                    • WriteFile.KERNELBASE(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00409B43
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00409B48
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409B4D
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409B52
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
                                                                                                                                    • API String ID: 327780389-4002013007
                                                                                                                                    • Opcode ID: 60cb4c962b787243aa5024f235936815de5306e01eef09160c9394b4f9a47f2d
                                                                                                                                    • Instruction ID: fb70aa460989ca239fd235d66d785af6871ae45b3eb53ae5652ba3f6cf74083a
                                                                                                                                    • Opcode Fuzzy Hash: 60cb4c962b787243aa5024f235936815de5306e01eef09160c9394b4f9a47f2d
                                                                                                                                    • Instruction Fuzzy Hash: B9411776900118BBCF119FA5DC499DFBFB9FF09760F108066F604A6252C7749E40DBA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413424, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413442
                                                                                                                                    • memset.MSVCRT ref: 00413457
                                                                                                                                    • Process32FirstW.KERNEL32(?,?), ref: 00413473
                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,00000000,?,?), ref: 004134B8
                                                                                                                                    • memset.MSVCRT ref: 004134DF
                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413514
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0041352E
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00413580
                                                                                                                                    • free.MSVCRT(-00000028), ref: 00413599
                                                                                                                                    • Process32NextW.KERNEL32(?,0000022C), ref: 004135E2
                                                                                                                                    • CloseHandle.KERNEL32(?,?,0000022C), ref: 004135F2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                    • API String ID: 1344430650-1740548384
                                                                                                                                    • Opcode ID: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
                                                                                                                                    • Instruction ID: 336025cd3e57628a03d53de68a5eb917573850932ab3a304507e713d781e6372
                                                                                                                                    • Opcode Fuzzy Hash: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
                                                                                                                                    • Instruction Fuzzy Hash: 3E518CB2C00118ABDB10DFA5DC84ADEF7B9AF95301F1040ABE508A3251DB799B84CF99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410D36, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00410D59
                                                                                                                                    • memset.MSVCRT ref: 00410D6E
                                                                                                                                    • memset.MSVCRT ref: 00410D83
                                                                                                                                    • memset.MSVCRT ref: 00410D98
                                                                                                                                    • memset.MSVCRT ref: 00410DAD
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                      • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                      • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                      • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                    • wcslen.MSVCRT ref: 00410DD3
                                                                                                                                    • wcslen.MSVCRT ref: 00410DE4
                                                                                                                                    • wcslen.MSVCRT ref: 00410E1C
                                                                                                                                    • wcslen.MSVCRT ref: 00410E2A
                                                                                                                                    • wcslen.MSVCRT ref: 00410E63
                                                                                                                                    • wcslen.MSVCRT ref: 00410E71
                                                                                                                                    • memset.MSVCRT ref: 00410EF7
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                    • API String ID: 2775653040-2068335096
                                                                                                                                    • Opcode ID: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
                                                                                                                                    • Instruction ID: 4a87cbf5aa2277a33565dd90cff8ebe3000d96c1f720339e2901549eb91f8fd8
                                                                                                                                    • Opcode Fuzzy Hash: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
                                                                                                                                    • Instruction Fuzzy Hash: 8451517254121C66DB20E762DD86FCE737C9F85314F1104ABE108E6142EFB99AC4CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410F47, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00410F6A
                                                                                                                                    • memset.MSVCRT ref: 00410F7F
                                                                                                                                    • memset.MSVCRT ref: 00410F94
                                                                                                                                    • memset.MSVCRT ref: 00410FA9
                                                                                                                                    • memset.MSVCRT ref: 00410FBE
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                      • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                      • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                      • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                    • wcslen.MSVCRT ref: 00410FE4
                                                                                                                                    • wcslen.MSVCRT ref: 00410FF5
                                                                                                                                    • wcslen.MSVCRT ref: 0041102D
                                                                                                                                    • wcslen.MSVCRT ref: 0041103B
                                                                                                                                    • wcslen.MSVCRT ref: 00411074
                                                                                                                                    • wcslen.MSVCRT ref: 00411082
                                                                                                                                    • memset.MSVCRT ref: 00411108
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                    • API String ID: 2775653040-3369679110
                                                                                                                                    • Opcode ID: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
                                                                                                                                    • Instruction ID: 71a9fb945579d4cb0336c6bc71926503c314de5bf88e5d97c60d5b36565dc427
                                                                                                                                    • Opcode Fuzzy Hash: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
                                                                                                                                    • Instruction Fuzzy Hash: C3515E729012186ADB20EB51DD86FCF77BD9F85304F1140ABE208E2152EF799BC88B5D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413627, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                    • API String ID: 2238633743-70141382
                                                                                                                                    • Opcode ID: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
                                                                                                                                    • Instruction ID: f29cbade6603fc4a2ab0b3c2c5315d136f5cdb5c857cdf3d96e229ab99d62a04
                                                                                                                                    • Opcode Fuzzy Hash: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
                                                                                                                                    • Instruction Fuzzy Hash: 07F0B774940784ABDB316F759C09E06BEE0EFA8701721491EE1C153A54D779E040CF88
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040956D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00403B29: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
                                                                                                                                      • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F
                                                                                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
                                                                                                                                    • wcslen.MSVCRT ref: 004095CC
                                                                                                                                    • wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
                                                                                                                                    • memset.MSVCRT ref: 00409679
                                                                                                                                    • memcpy.MSVCRT ref: 0040969A
                                                                                                                                    • _wcsnicmp.MSVCRT ref: 004096DF
                                                                                                                                    • wcschr.MSVCRT ref: 00409707
                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 0040972B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                    • String ID: J$Microsoft_WinInet$Microsoft_WinInet_
                                                                                                                                    • API String ID: 1313344744-1864008983
                                                                                                                                    • Opcode ID: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
                                                                                                                                    • Instruction ID: ea1b4f48df4bf11ab27dc332c663e5edf47b9e63c97f7d7fc3a34612be846c77
                                                                                                                                    • Opcode Fuzzy Hash: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
                                                                                                                                    • Instruction Fuzzy Hash: A5511AB1D00209AFDF20DFA5C885AAEB7B8FF08304F14446AE919E7242D738AA45CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0044472E, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2827331108-0
                                                                                                                                    • Opcode ID: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
                                                                                                                                    • Instruction ID: 3deb3861b6046dda02d7dc4087396bab8fe4faf5ffc7b91e65a4640001166331
                                                                                                                                    • Opcode Fuzzy Hash: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
                                                                                                                                    • Instruction Fuzzy Hash: 3A51C279C00704DFEB30AFA5D8487AE77B4FB86711F20412BF451A7292D7788882CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A420, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040A444
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                      • Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A015
                                                                                                                                      • Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A02D
                                                                                                                                      • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A049
                                                                                                                                      • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A058
                                                                                                                                      • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A09F
                                                                                                                                      • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A0AE
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
                                                                                                                                    • wcschr.MSVCRT ref: 0040A4D0
                                                                                                                                    • wcschr.MSVCRT ref: 0040A4F0
                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
                                                                                                                                    • GetLastError.KERNEL32 ref: 0040A51F
                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A54B
                                                                                                                                    • FindCloseUrlCache.WININET(?), ref: 0040A55C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                    • String ID: visited:
                                                                                                                                    • API String ID: 615219573-1702587658
                                                                                                                                    • Opcode ID: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
                                                                                                                                    • Instruction ID: a8741c9f70935d188a110af9e9e8f96ccbc1ec5a4ffe9cc29b4dc234b75738c1
                                                                                                                                    • Opcode Fuzzy Hash: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
                                                                                                                                    • Instruction Fuzzy Hash: 5F419F72900219BBDB10EFA5DC85AAEBBB8FF44754F10406AE504F3281DB789E51CB99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409B7A, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED
                                                                                                                                    • memset.MSVCRT ref: 00409BC2
                                                                                                                                      • Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7
                                                                                                                                    • free.MSVCRT(000000FF,?,000000FF,00000000,00000104,747DF560), ref: 00409C90
                                                                                                                                      • Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E
                                                                                                                                      • Part of subcall function 00408FFD: wcslen.MSVCRT ref: 0040900C
                                                                                                                                      • Part of subcall function 00408FFD: _memicmp.MSVCRT ref: 0040903A
                                                                                                                                    • _snwprintf.MSVCRT ref: 00409C5C
                                                                                                                                      • Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
                                                                                                                                      • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                      • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                      • Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                    • API String ID: 2804212203-2982631422
                                                                                                                                    • Opcode ID: 016f43b69d351da20f18e3d08cfb22cc6f3daed84736ca8803c7e9159e0743c6
                                                                                                                                    • Instruction ID: b0f72644bbd87b50ea7a8f8ee73cfa3b4c243fbe701b8101a2a2b04dab44341a
                                                                                                                                    • Opcode Fuzzy Hash: 016f43b69d351da20f18e3d08cfb22cc6f3daed84736ca8803c7e9159e0743c6
                                                                                                                                    • Instruction Fuzzy Hash: 29319471D042196AEF50EFA5CC45ADEB7F8AF44344F11007BA519B3182DB38AE448B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A94C, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
                                                                                                                                      • Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA
                                                                                                                                      • Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                      • Part of subcall function 0040A420: memset.MSVCRT ref: 0040A444
                                                                                                                                      • Part of subcall function 0040A420: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
                                                                                                                                      • Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4D0
                                                                                                                                      • Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4F0
                                                                                                                                      • Part of subcall function 0040A420: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
                                                                                                                                      • Part of subcall function 0040A420: GetLastError.KERNEL32 ref: 0040A51F
                                                                                                                                      • Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A5DF
                                                                                                                                      • Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 0040A60D
                                                                                                                                      • Part of subcall function 0040A56F: _wcsupr.MSVCRT ref: 0040A627
                                                                                                                                      • Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A676
                                                                                                                                      • Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 0040A6A1
                                                                                                                                      • Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                    • _wcslwr.MSVCRT ref: 0040AA14
                                                                                                                                    • wcslen.MSVCRT ref: 0040AA29
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
                                                                                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                    • API String ID: 4091582287-4196376884
                                                                                                                                    • Opcode ID: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
                                                                                                                                    • Instruction ID: e8c4dab73010a582bcb55339b064a6b15101daee4fa053d2547f161988c3f8ed
                                                                                                                                    • Opcode Fuzzy Hash: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
                                                                                                                                    • Instruction Fuzzy Hash: C731D272700204AADB20BB6ACD41A9F7669EF80344F25087FB844FB1C6DB78DD91D699
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409FF2, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040A015
                                                                                                                                    • memset.MSVCRT ref: 0040A02D
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                    • wcslen.MSVCRT ref: 0040A049
                                                                                                                                    • wcslen.MSVCRT ref: 0040A058
                                                                                                                                    • wcslen.MSVCRT ref: 0040A09F
                                                                                                                                    • wcslen.MSVCRT ref: 0040A0AE
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                    • API String ID: 2036768262-2114579845
                                                                                                                                    • Opcode ID: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
                                                                                                                                    • Instruction ID: e8ec88334da27b7df1bd19bf5f92620076e348809ddf91dc3f5a530f518c7d73
                                                                                                                                    • Opcode Fuzzy Hash: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
                                                                                                                                    • Instruction Fuzzy Hash: F121A9B254021C55DB20E691DC85EDB73BCAF54314F5104BFF615E2081EBB8DA84465D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0044376F, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                    • API String ID: 3510742995-2641926074
                                                                                                                                    • Opcode ID: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
                                                                                                                                    • Instruction ID: 2a909f6aa8b78d8aa74dd045bbec2887fe81728cdb5ed6237a850f532ee9234f
                                                                                                                                    • Opcode Fuzzy Hash: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
                                                                                                                                    • Instruction Fuzzy Hash: 5A711CB1600201BFF310AF1ADC82B5AB798BB44719F15452FF45897782C7BDE9908B99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410A52, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00410C87: memset.MSVCRT ref: 00410CA3
                                                                                                                                      • Part of subcall function 00410C87: memset.MSVCRT ref: 00410CB8
                                                                                                                                      • Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410CE1
                                                                                                                                      • Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410D0A
                                                                                                                                    • memset.MSVCRT ref: 00410A9A
                                                                                                                                    • wcslen.MSVCRT ref: 00410AB1
                                                                                                                                    • wcslen.MSVCRT ref: 00410AB9
                                                                                                                                    • wcslen.MSVCRT ref: 00410B14
                                                                                                                                    • wcslen.MSVCRT ref: 00410B22
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memsetwcscat$wcscpy
                                                                                                                                    • String ID: history.dat$places.sqlite
                                                                                                                                    • API String ID: 2541527827-467022611
                                                                                                                                    • Opcode ID: 25ea34a281439d809f371ac1cf7c0884433c21bdeb59f3c4b6e0df9e4197b33a
                                                                                                                                    • Instruction ID: 16c00ee82f17989474e920b03892a6de4e18c3fe0141c7e4295d5dc86641310b
                                                                                                                                    • Opcode Fuzzy Hash: 25ea34a281439d809f371ac1cf7c0884433c21bdeb59f3c4b6e0df9e4197b33a
                                                                                                                                    • Instruction Fuzzy Hash: 17314571D041189ADF10EBA5DC89ACDB3B8AF50319F20457FE554F2182EB7C9A84CB58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00411CDB, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memsetwcscatwcscpy
                                                                                                                                    • String ID: Login Data$Web Data
                                                                                                                                    • API String ID: 3932597654-4228647177
                                                                                                                                    • Opcode ID: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
                                                                                                                                    • Instruction ID: 9a91d2e82c236d30763d7b9ebcc1a6cccb69c4478b10b945406aecd22e6d63c1
                                                                                                                                    • Opcode Fuzzy Hash: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
                                                                                                                                    • Instruction Fuzzy Hash: 46218B7250411C6ADB10EB55EC89FDA73ACAF50328F14487FF518E3191EBBCDAC44658
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417C9A, Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(?,-7FBE8982,00000003,00000000,?,?,00000000), ref: 00417D72
                                                                                                                                    • CreateFileA.KERNEL32(?,-7FBE8982,00000003,00000000,004175FE,004175FE,00000000), ref: 00417D8A
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417D99
                                                                                                                                    • free.MSVCRT(?), ref: 00417DA6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFile$ErrorLastfree
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 77810686-0
                                                                                                                                    • Opcode ID: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
                                                                                                                                    • Instruction ID: 35fec4397722218e6507e77f53b50855b574b2e4c8baf302a97b237cc2aa3bd3
                                                                                                                                    • Opcode Fuzzy Hash: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
                                                                                                                                    • Instruction Fuzzy Hash: D841F27150C3059FEB20CF25EC4179BBBF4EF84314F10892EF89592291D738DA848B96
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FC4E, Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@$DeleteHandleIconLoadModuleObjectmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3532479477-0
                                                                                                                                    • Opcode ID: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
                                                                                                                                    • Instruction ID: 6b7a5e441d588d9bc54ea64e01ff161f986e35cd5d296fb942180f783725d529
                                                                                                                                    • Opcode Fuzzy Hash: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
                                                                                                                                    • Instruction Fuzzy Hash: EA315EB19013888FDB30EF668C896CAB6E9BF45314F00863FE84DDB641DBB946448B59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410C87, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00410CA3
                                                                                                                                    • memset.MSVCRT ref: 00410CB8
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                      • Part of subcall function 00407DD1: wcslen.MSVCRT ref: 00407DD2
                                                                                                                                      • Part of subcall function 00407DD1: wcscat.MSVCRT ref: 00407DEA
                                                                                                                                    • wcscat.MSVCRT ref: 00410CE1
                                                                                                                                      • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                      • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                      • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                    • wcscat.MSVCRT ref: 00410D0A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                    • API String ID: 1534475566-1174173950
                                                                                                                                    • Opcode ID: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
                                                                                                                                    • Instruction ID: 1b820a25e8b0a88a2df896ef0368420f7b9c24777a221978b2b2a3cd549cec0e
                                                                                                                                    • Opcode Fuzzy Hash: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
                                                                                                                                    • Instruction Fuzzy Hash: 860152B294031C76EB20AB668C86EDB762C9F85358F0141AAB618B7142D97C9DC44AAD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004034E3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                      • Part of subcall function 00411E4C: memset.MSVCRT ref: 00411EC2
                                                                                                                                      • Part of subcall function 00411E4C: wcsrchr.MSVCRT ref: 00411EDB
                                                                                                                                      • Part of subcall function 00411BB2: SetCurrentDirectoryW.KERNEL32(?,?,?,00403557,?), ref: 00411BFF
                                                                                                                                    • memset.MSVCRT ref: 004035BC
                                                                                                                                    • memcpy.MSVCRT ref: 004035D0
                                                                                                                                    • wcscmp.MSVCRT ref: 004035F8
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040362F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1763786148-3916222277
                                                                                                                                    • Opcode ID: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
                                                                                                                                    • Instruction ID: bd143a35ad5b1b32f57d6bfe9876d60f7f1e4d0a05a181755c1d953110edcb1c
                                                                                                                                    • Opcode Fuzzy Hash: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
                                                                                                                                    • Instruction Fuzzy Hash: 24412A71D40229AADF20EFA5CC45ADEB7B8AF44318F1044ABE508B3241DB789B858F59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414558, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004144AB: LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
                                                                                                                                      • Part of subcall function 004144AB: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE
                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                    • memset.MSVCRT ref: 004145B1
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                    • wcscpy.MSVCRT ref: 00414626
                                                                                                                                      • Part of subcall function 004083A1: GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB
                                                                                                                                    Strings
                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004145CC, 004145DC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                    • API String ID: 2699640517-2036018995
                                                                                                                                    • Opcode ID: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
                                                                                                                                    • Instruction ID: e12ff53167afe07261100608862af2d586d512a8c684a17975878dc8bda8b34c
                                                                                                                                    • Opcode Fuzzy Hash: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
                                                                                                                                    • Instruction Fuzzy Hash: 42112B71800214BBEF20A759CC4EAEFB3BDDB85754F6100A7F914A2151E62C5FC5869E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413CFB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcschr.MSVCRT ref: 00413D15
                                                                                                                                    • _snwprintf.MSVCRT ref: 00413D3A
                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,0044BCA0), ref: 00413D58
                                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00413D70
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                    • String ID: "%s"
                                                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                                                    • Opcode ID: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
                                                                                                                                    • Instruction ID: 73e04fdb7293ad0563e201354ce1ff8293903967f03a71563bfd8de655adbfaf
                                                                                                                                    • Opcode Fuzzy Hash: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
                                                                                                                                    • Instruction Fuzzy Hash: 2401AD3240521EBBEF229F91EC45FDB3B6AFF04745F14806ABA1854062D779C660DB98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041337C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 0041338D
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 004133A7
                                                                                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 004133CA
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                                                    • Opcode ID: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
                                                                                                                                    • Instruction ID: da68f8d270a38a3c71bb0a1d73356e5427966c5ec0fa45e2ea30989c2ad8b33c
                                                                                                                                    • Opcode Fuzzy Hash: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
                                                                                                                                    • Instruction Fuzzy Hash: 41F01535140208AFEF108F91EC44B9A7BA9AB08B86F404026FE18C1162CB75DAA0DB5C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041EAC1, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcmp
                                                                                                                                    • String ID: @ $SQLite format 3
                                                                                                                                    • API String ID: 1475443563-3708268960
                                                                                                                                    • Opcode ID: e922d6e76d25ca0bc981f6f0caf64cc85a23792da3e792978c200f14c15407ff
                                                                                                                                    • Instruction ID: 378f5b88a64b421c164fea27eec5394a6c1f6cf5fd0cfe57e22cb817cc3972c5
                                                                                                                                    • Opcode Fuzzy Hash: e922d6e76d25ca0bc981f6f0caf64cc85a23792da3e792978c200f14c15407ff
                                                                                                                                    • Instruction Fuzzy Hash: 4E51C1B59002059BDF14DF6AC8817DAB7F4AF54314F15019BEC04EB34AE778EA85CB98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409EB7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00409A23: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
                                                                                                                                      • Part of subcall function 00409A23: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
                                                                                                                                      • Part of subcall function 00409A23: DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00409AC4
                                                                                                                                      • Part of subcall function 00409A23: GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
                                                                                                                                      • Part of subcall function 00409A23: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
                                                                                                                                      • Part of subcall function 00409A23: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
                                                                                                                                      • Part of subcall function 00409A23: WriteFile.KERNELBASE(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
                                                                                                                                      • Part of subcall function 00409A23: UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
                                                                                                                                      • Part of subcall function 00409A23: FindCloseChangeNotification.KERNELBASE(?), ref: 00409B43
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409F87
                                                                                                                                      • Part of subcall function 00409CB0: memset.MSVCRT ref: 00409D85
                                                                                                                                      • Part of subcall function 00409CB0: wcschr.MSVCRT ref: 00409DBD
                                                                                                                                      • Part of subcall function 00409CB0: memcpy.MSVCRT ref: 00409DF1
                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FA8
                                                                                                                                    • CloseHandle.KERNEL32(000000FF,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FCF
                                                                                                                                      • Part of subcall function 00409B7A: memset.MSVCRT ref: 00409BC2
                                                                                                                                      • Part of subcall function 00409B7A: _snwprintf.MSVCRT ref: 00409C5C
                                                                                                                                      • Part of subcall function 00409B7A: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,747DF560), ref: 00409C90
                                                                                                                                    Strings
                                                                                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409EC7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
                                                                                                                                    • API String ID: 3931293568-1514811420
                                                                                                                                    • Opcode ID: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
                                                                                                                                    • Instruction ID: 3f51e9d3f4722dee63ca69fa5b044a2e48b650b6030bfe0f748ec1b1a5da80f7
                                                                                                                                    • Opcode Fuzzy Hash: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
                                                                                                                                    • Instruction Fuzzy Hash: 65311CB1C006589BCF60DFA5CD855CDF7B8AF40314F1002AB9519F31A2DB755E858F58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E903, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmpqsort
                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                    • API String ID: 1579243037-1578091866
                                                                                                                                    • Opcode ID: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
                                                                                                                                    • Instruction ID: da88191f08b8b868428b3ed71d9c82d207ce8b6ace4e6628c3e2187065429015
                                                                                                                                    • Opcode Fuzzy Hash: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
                                                                                                                                    • Instruction Fuzzy Hash: 7521F271700502AFD714FF36C981A5AB3A9FF95304B01097FE459A72D2CB7ABC218B99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040ADD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00413ACB: FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7
                                                                                                                                    • LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                    • String ID: PStoreCreateInstance$pstorec.dll
                                                                                                                                    • API String ID: 145871493-2881415372
                                                                                                                                    • Opcode ID: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
                                                                                                                                    • Instruction ID: 165486c3e6602412b12b5041488cd1e6311a4fd56e7abe132b6c53b1702dbca2
                                                                                                                                    • Opcode Fuzzy Hash: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
                                                                                                                                    • Instruction Fuzzy Hash: D8F0E2302807125BEB206F76DC06B9B32D8AF44B4AF10C43EA052D55C1EBBCD4808B9D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004141E0, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004141ED
                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004141FE
                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0041420E
                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 00414219
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                    • Opcode ID: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
                                                                                                                                    • Instruction ID: 4db2b1a63d72691fd362fce079069d1f86e41d88e51d490a39d61a138898f27d
                                                                                                                                    • Opcode Fuzzy Hash: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
                                                                                                                                    • Instruction Fuzzy Hash: A8019636A002156B8F155FA5DD4999F7FAAFFC67D0708803AF915CA221DB70C882C688
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00444E7A, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??3@
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                    • Opcode ID: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
                                                                                                                                    • Instruction ID: 83d98c8e739894f4f11ae52403c2f1a0732df397c2cb69f7507dcdbda06e161a
                                                                                                                                    • Opcode Fuzzy Hash: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
                                                                                                                                    • Instruction Fuzzy Hash: F7E04DA070030136BB20AFBAFD44B0323CC3A90793326482FB406D73D2EE2CE840A52C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0043A0F8, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043A1CA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset
                                                                                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                    • API String ID: 2221118986-1725073988
                                                                                                                                    • Opcode ID: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
                                                                                                                                    • Instruction ID: e3eeb75a8af282f970fbf78469263b11f6465a284568bf7e48a5e115ce459d1a
                                                                                                                                    • Opcode Fuzzy Hash: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
                                                                                                                                    • Instruction Fuzzy Hash: F1828771A00208AFDF24DF69C881AAE7BA1FF08314F14411AFD559B3A2D77AEC51CB95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B25F, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                    • Opcode ID: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
                                                                                                                                    • Instruction ID: 41d6ca53bbc25777d15e7d44d7af272a9a829ad4135043ac9a1f5f7c0c786f2e
                                                                                                                                    • Opcode Fuzzy Hash: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
                                                                                                                                    • Instruction Fuzzy Hash: ED0112F12023007FEB69DF38ED1772A66949B95393F00413FA506CD2F6EA79D5449B08
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004444B7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004443B0: LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
                                                                                                                                      • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D
                                                                                                                                    • memcmp.MSVCRT ref: 0044455D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoadmemcmp
                                                                                                                                    • String ID: $$8
                                                                                                                                    • API String ID: 2708812716-435121686
                                                                                                                                    • Opcode ID: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
                                                                                                                                    • Instruction ID: 4b210d59022fde833576912f2e87238d6fd1d6b03e73e285368f71a5ac649bda
                                                                                                                                    • Opcode Fuzzy Hash: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
                                                                                                                                    • Instruction Fuzzy Hash: 73411171E00609ABEF10DF95C981BAFB7F4AF88714F11055AE915B3341DB78AE448BA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A7DA, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                      • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                    • wcslen.MSVCRT ref: 0040A819
                                                                                                                                    • memset.MSVCRT ref: 0040A898
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoadmemsetwcslen
                                                                                                                                    • String ID: P5@
                                                                                                                                    • API String ID: 1960736289-1192260740
                                                                                                                                    • Opcode ID: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
                                                                                                                                    • Instruction ID: 9cce22c2db06112b06b017d7de527652cc15472bfd2168745658b7e1f8ccbd38
                                                                                                                                    • Opcode Fuzzy Hash: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
                                                                                                                                    • Instruction Fuzzy Hash: CC31D272500208AFDF10EFA4CC85DEE77B9AF48304F15887AF505F7281D638AE198B66
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00418073, Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00417F9B: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
                                                                                                                                      • Part of subcall function 00417F9B: malloc.MSVCRT ref: 00417FD2
                                                                                                                                      • Part of subcall function 00417F9B: free.MSVCRT(?), ref: 00417FE2
                                                                                                                                      • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004180ED
                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00418115
                                                                                                                                    • free.MSVCRT(00000000,?,00000000,?,00000000), ref: 0041811E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1355100292-0
                                                                                                                                    • Opcode ID: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
                                                                                                                                    • Instruction ID: 44f72dfadcd4ed0e6b0cb1466d7c09a20078aec04da8d2fdb22fffa922359726
                                                                                                                                    • Opcode Fuzzy Hash: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
                                                                                                                                    • Instruction Fuzzy Hash: 8A215076800118BEEB21ABA4CC449EF7BBCAF09344F1540ABE641D7211EB784EC587A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416F08, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00416E8B: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
                                                                                                                                      • Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EBD
                                                                                                                                      • Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EC3
                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00416F38
                                                                                                                                    • GetLastError.KERNEL32 ref: 00416F42
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$File$PointerRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 839530781-0
                                                                                                                                    • Opcode ID: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
                                                                                                                                    • Instruction ID: add61fd64035c303a46c69afbbac6c0b4560a134b5de48ff3df98cfac7bf87f9
                                                                                                                                    • Opcode Fuzzy Hash: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
                                                                                                                                    • Instruction Fuzzy Hash: 2D01AD3A208208BBEB108F65EC45FEA3B6CEF053A4F114426F908C6250D724EC9186E9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A37F, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$FileFindFirst
                                                                                                                                    • String ID: *.*$index.dat
                                                                                                                                    • API String ID: 1858513025-2863569691
                                                                                                                                    • Opcode ID: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
                                                                                                                                    • Instruction ID: 18b6580ac0a830e75170eb0e1623f763ef95ee80692c464e75bb199377268105
                                                                                                                                    • Opcode Fuzzy Hash: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
                                                                                                                                    • Instruction Fuzzy Hash: 20016D7140526859EB20EA61DC42ADE726CAF04304F5001BBA818F21C2EB789F929F5A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416E8B, Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
                                                                                                                                    • GetLastError.KERNEL32 ref: 00416EBD
                                                                                                                                    • GetLastError.KERNEL32 ref: 00416EC3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1156039329-0
                                                                                                                                    • Opcode ID: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
                                                                                                                                    • Instruction ID: 37b1e2f091545ca96408f8d6a34600ec4a403a46a608ba1f9fdc83bbdb8077e2
                                                                                                                                    • Opcode Fuzzy Hash: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
                                                                                                                                    • Instruction Fuzzy Hash: F4F06536914619BBCF009F74DC009EA7BE8EB05361B104726F832D62D1E731EE419A94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004080FD, Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1125800050-0
                                                                                                                                    • Opcode ID: cd2f3735bba2878a79e9f19a3eb817c818f21bd1f1f6eaeb7cc68637a741f96c
                                                                                                                                    • Instruction ID: a19870345f686364ec187dd7d23bdf0954ef371c81d74b5a6631b0975d4c9c24
                                                                                                                                    • Opcode Fuzzy Hash: cd2f3735bba2878a79e9f19a3eb817c818f21bd1f1f6eaeb7cc68637a741f96c
                                                                                                                                    • Instruction Fuzzy Hash: BDE0927A900328BBDF205B60DC0CFCB377CEF46304F000070B945E6152EA7896888BA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004080AC, Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • malloc.MSVCRT ref: 004080C8
                                                                                                                                    • memcpy.MSVCRT ref: 004080E0
                                                                                                                                    • free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3056473165-0
                                                                                                                                    • Opcode ID: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
                                                                                                                                    • Instruction ID: 78eaf63d8c2f3f9895426ca65e1500e544e2a4a90d5a49d0f549448db46f5a47
                                                                                                                                    • Opcode Fuzzy Hash: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
                                                                                                                                    • Instruction Fuzzy Hash: 50F0E2726052229FD718EE75BA8180BB39DAF85364712883FF444E3282DF3C9C44C7A8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040897D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileRead
                                                                                                                                    • String ID: CCD
                                                                                                                                    • API String ID: 2738559852-662205380
                                                                                                                                    • Opcode ID: 95fe6112964d8fece6e22643851d15c8512762a174cc85b994d828cd4959b37f
                                                                                                                                    • Instruction ID: 69216e87a8676b039392231de9c3b52b74dec2ebcb54b9129181f8e0c6c75afe
                                                                                                                                    • Opcode Fuzzy Hash: 95fe6112964d8fece6e22643851d15c8512762a174cc85b994d828cd4959b37f
                                                                                                                                    • Instruction Fuzzy Hash: 6CD0C93541020DFBDF01CF80DC06FDD7BBDEB05359F108054BA0095160C7759A10AB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00436ADD, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: d
                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                    • Opcode ID: 581700d0edc2a8117bb5fbd40871278af0e05eb09add98efced60719e19a31a8
                                                                                                                                    • Instruction ID: fc4515617b89e60a19d50c15f4f69ae244da8edec6c232cce581781c6edd6396
                                                                                                                                    • Opcode Fuzzy Hash: 581700d0edc2a8117bb5fbd40871278af0e05eb09add98efced60719e19a31a8
                                                                                                                                    • Instruction Fuzzy Hash: 5981B031608312AFCB10DF19D84165FBBE0EF88718F12992FF8949B251D778DA45CB9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041E7EE, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset
                                                                                                                                    • String ID: BINARY
                                                                                                                                    • API String ID: 2221118986-907554435
                                                                                                                                    • Opcode ID: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
                                                                                                                                    • Instruction ID: 80603cce4df8086f4253f53369ac634731a2704b4a2dc635bb3c7b15e71801b6
                                                                                                                                    • Opcode Fuzzy Hash: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
                                                                                                                                    • Instruction Fuzzy Hash: B951AD75A043459FDB21DF2AC881BEA7BE4EF48350F14446AEC89CB341D738D980CBA9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040DD37, Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
                                                                                                                                      • Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB
                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DD6C
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DE90
                                                                                                                                      • Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                      • Part of subcall function 00407DF4: GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
                                                                                                                                      • Part of subcall function 00407DF4: _snwprintf.MSVCRT ref: 00407E35
                                                                                                                                      • Part of subcall function 00407DF4: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1161345128-0
                                                                                                                                    • Opcode ID: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
                                                                                                                                    • Instruction ID: 75199abba107ca30350ead5857dca6b94cadfdfaeaa302ec2f3d27d1e62cce92
                                                                                                                                    • Opcode Fuzzy Hash: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
                                                                                                                                    • Instruction Fuzzy Hash: BD417F35E00604EBCB219FA9C885A5EB7B6AF54714F20406FF446AB2D1CB389E44DA99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FE76, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                    • String ID: /stext
                                                                                                                                    • API String ID: 2081463915-3817206916
                                                                                                                                    • Opcode ID: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
                                                                                                                                    • Instruction ID: 2161babe09ea1c109a016804ff5c091d56ac672142073ac0305c405afa28cd18
                                                                                                                                    • Opcode Fuzzy Hash: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
                                                                                                                                    • Instruction Fuzzy Hash: 37216074B00205AFD714EFAAC881A9DB7A9FF84304F1001BFA415A7782DB79AD148B95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041829C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 004182A7
                                                                                                                                    • GetSystemInfo.KERNELBASE(00453D60,?,00000000,00442D20,?,?,?), ref: 004182B0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoSystemmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3558857096-0
                                                                                                                                    • Opcode ID: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
                                                                                                                                    • Instruction ID: 3c0be6fe3b5a6ffc89f5b68e380a6edd79d3b36df5ca7f17532ee32b6b8f0e73
                                                                                                                                    • Opcode Fuzzy Hash: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
                                                                                                                                    • Instruction Fuzzy Hash: 86E09235E01A242BE7117F767C07BDB26948F8A38AF04407BF904DA253EA6CCD414ADE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414C1D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • failed to allocate %u bytes of memory, xrefs: 00414C46
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: malloc
                                                                                                                                    • String ID: failed to allocate %u bytes of memory
                                                                                                                                    • API String ID: 2803490479-1168259600
                                                                                                                                    • Opcode ID: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
                                                                                                                                    • Instruction ID: cc16955a0d14ca8776a7aa5b229d79c98c920de21d1adc6b7d8c4ece6c284845
                                                                                                                                    • Opcode Fuzzy Hash: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
                                                                                                                                    • Instruction Fuzzy Hash: 64E020B7F0361267C2004615DC0168777959FD132171B0637F95CD3680D63CD84587A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416ED2, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00416EEB
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,004536AC,0041753F,00000008,00000000,00000000,?,004176FC,?,00000000), ref: 00416EF4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1821831730-0
                                                                                                                                    • Opcode ID: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
                                                                                                                                    • Instruction ID: ddbdeb719d62bbcd0ae2c24f8bc232808eb7cee6ac061654c4d164212cdc0068
                                                                                                                                    • Opcode Fuzzy Hash: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
                                                                                                                                    • Instruction Fuzzy Hash: 35E0C23F11071A9FDB0097BCDC90AD773D8EF56338726433AF662C61A0CA65D8828654
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041B556, Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcmpmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1065087418-0
                                                                                                                                    • Opcode ID: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
                                                                                                                                    • Instruction ID: 1efd5175aaeb232b83b4fa12f0066e98a2b2c589ef3b7fe000d2c80dadf29316
                                                                                                                                    • Opcode Fuzzy Hash: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
                                                                                                                                    • Instruction Fuzzy Hash: AF617C71A01245EFDB10EFA485C06EEB7B4FB54308F14846FE11497281E738AED59B9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041857E, Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2221118986-0
                                                                                                                                    • Opcode ID: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
                                                                                                                                    • Instruction ID: 158bf94f573ecacca79ccaf447c09fb498ee4e42fef6769a8b2fd70c0d8b82a4
                                                                                                                                    • Opcode Fuzzy Hash: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
                                                                                                                                    • Instruction Fuzzy Hash: 0D417A72500602EFCB309F64D9848ABB7F6FB14314710492FE54AC7660EB38E9D5CB58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004109C4, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00410A52: memset.MSVCRT ref: 00410A9A
                                                                                                                                      • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB1
                                                                                                                                      • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB9
                                                                                                                                      • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B14
                                                                                                                                      • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B22
                                                                                                                                      • Part of subcall function 004086BA: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,00410A06,00000000,?,00000000,?,00000000), ref: 004086D2
                                                                                                                                      • Part of subcall function 004086BA: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004086E6
                                                                                                                                      • Part of subcall function 004086BA: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411ED6), ref: 004086EF
                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 00410A10
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$File$Time$CloseCompareCreateHandlememset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4204647287-0
                                                                                                                                    • Opcode ID: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
                                                                                                                                    • Instruction ID: e327927a43c347593f183825775ae13c5bf460ea87da421573a566f28fb83fb7
                                                                                                                                    • Opcode Fuzzy Hash: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
                                                                                                                                    • Instruction Fuzzy Hash: 7A117076C00218EBCF11EBA5DA419DEB7B9EF44300F10006BE441F3281EA749B84CB95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004057D2, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetFilePointerEx.KERNELBASE(004057A8,?,?,00000000,00000000,00000000,00405E25,00000000,00000000,?,00000000,004057A8), ref: 004057EE
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$PointerRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3154509469-0
                                                                                                                                    • Opcode ID: 64c5ed2aa36d8d537b285b5c1e7aa840f4d64fa0910f6d092a5b593a7cfce923
                                                                                                                                    • Instruction ID: 10cf5b1db118189887eacc4ff35e91e25d6bd08443c232d43c4ae27a9a01ea3e
                                                                                                                                    • Opcode Fuzzy Hash: 64c5ed2aa36d8d537b285b5c1e7aa840f4d64fa0910f6d092a5b593a7cfce923
                                                                                                                                    • Instruction Fuzzy Hash: FBE0C776100100FFE620AF08CC06F2BBBF8EFC4B00F10882EB2C49A0B5C6326812CB25
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413E1E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetPrivateProfileIntW.KERNEL32 ref: 00413E45
                                                                                                                                      • Part of subcall function 00413CAE: memset.MSVCRT ref: 00413CCD
                                                                                                                                      • Part of subcall function 00413CAE: _itow.MSVCRT ref: 00413CE4
                                                                                                                                      • Part of subcall function 00413CAE: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00413CF3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4232544981-0
                                                                                                                                    • Opcode ID: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
                                                                                                                                    • Instruction ID: 5d66eace87880ca3e294b7f0e570a8e3be22b6ae62b10c3d44e19be24f2def2d
                                                                                                                                    • Opcode Fuzzy Hash: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
                                                                                                                                    • Instruction Fuzzy Hash: 89E0B632000249ABDF126F91EC01AAA7F66FF14315F148459FD6C14121D33295B0AF84
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00444425, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,00411BC7,?,?,00403557,?), ref: 00444436
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                    • Opcode ID: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
                                                                                                                                    • Instruction ID: 39ddfc5443798b4b2f471bdaff8db486b4a9363c7739a8bb917076c50ef601e7
                                                                                                                                    • Opcode Fuzzy Hash: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
                                                                                                                                    • Instruction Fuzzy Hash: 92E0F6B5900B008F97308F2BE944506FBF8BEE46103108A1F91AAC2A21C3B4A5498F94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004135FF, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00413627: LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
                                                                                                                                      • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676
                                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004134F7,00000104,004134F7,00000000,?), ref: 0041361E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$FileLibraryLoadModuleName
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3821362017-0
                                                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                    • Instruction ID: 7bbd5afd8370dadb00360ee8d7667c1b04e34d2617d736b2e99a938255987c13
                                                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                    • Instruction Fuzzy Hash: 7CD022312043007BD231EE708C00FCBB3E8BF44711F028C1AB190E2280C3B8C9409308
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413401, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FreeLibrary.KERNELBASE(00000000,00406DBF,?,00000000,?,?,?,?,?,00000000,?), ref: 00413408
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                    • Opcode ID: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
                                                                                                                                    • Instruction ID: 53121aa1ed69e67302caa1b874726051d72530908054280e128cb363a29a4499
                                                                                                                                    • Opcode Fuzzy Hash: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
                                                                                                                                    • Instruction Fuzzy Hash: 51D0C9324005229BDB00AF26EC45B857368EF00351B150025E800BB492D738BEA28ADC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040899C, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0040DDA6,00000000,0044AF64,00000002,?,0040FF40,00000000,00000000,?), ref: 004089B3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                    • Opcode ID: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
                                                                                                                                    • Instruction ID: 44b36b217b32540387e14a2368d622af177610148a3238ec1afc6282a592e5c5
                                                                                                                                    • Opcode Fuzzy Hash: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
                                                                                                                                    • Instruction Fuzzy Hash: 64D0C93551020DFFDF01CF80DD06FDE7B7DEB04359F104054BA0495060C7B59A10AB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407D7B, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFile
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                    • Opcode ID: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
                                                                                                                                    • Instruction ID: 729bcb02508df23f9412a42fb8e8b3188fed1bd1f0cd2b7b0f8edc4fa6246a8f
                                                                                                                                    • Opcode Fuzzy Hash: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
                                                                                                                                    • Instruction Fuzzy Hash: E3C092B4240201BEFF228B10ED15F36295CD740700F2044247E00E80E0D1A04E108924
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407D94, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFile
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                    • Opcode ID: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
                                                                                                                                    • Instruction ID: edb615435fe3ce855b8554d9524e6f242ae4b45eb81851bd3d2393cb7dc29c83
                                                                                                                                    • Opcode Fuzzy Hash: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
                                                                                                                                    • Instruction Fuzzy Hash: 67C012F43503017FFF208B10AD0AF37395DD780700F1084207F00E80E1D2E14C008924
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409552, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??3@
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                    • Opcode ID: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
                                                                                                                                    • Instruction ID: 664dc763c5da3aaab367392b47211da9bee634dc4adcd4213ebe75a48c3d30fa
                                                                                                                                    • Opcode Fuzzy Hash: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
                                                                                                                                    • Instruction Fuzzy Hash: 6EC09BB29127015BF7309F66C40471373D85F50767F314C5DA4D1964C1DB7CD5408514
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414266, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,004141E0,00000000), ref: 00414275
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                    • Opcode ID: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
                                                                                                                                    • Instruction ID: 894f21907dab3ca3b917dc931ff3d8bd940b81db11264512214ff9c0d0df685d
                                                                                                                                    • Opcode Fuzzy Hash: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
                                                                                                                                    • Instruction Fuzzy Hash: 23C09B35654341A7C7029F109C0DF1E7EA5BB95705F504C29B151940A0C75251549609
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409428, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindClose.KERNELBASE(?,0040933E,?,00000000,?,004127ED,*.*,?), ref: 00409432
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseFind
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                    • Opcode ID: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
                                                                                                                                    • Instruction ID: 3bd61d94ea2d0ebbf22c21a92135ad1df5e9ea430364887b997a0a3dbe6c7a02
                                                                                                                                    • Opcode Fuzzy Hash: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
                                                                                                                                    • Instruction Fuzzy Hash: 3EC048345109018BD6289F38986A52A77A0AA5A3303A44F6CA0F2920E2E73888428A04
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413ACB, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                    • Opcode ID: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
                                                                                                                                    • Instruction ID: 95e4874612f61a4c2f5820174f699a9a2e50adc9900ffd5901b80c85968e45e3
                                                                                                                                    • Opcode Fuzzy Hash: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
                                                                                                                                    • Instruction Fuzzy Hash: 7BC04C35510B118BEF218B12C989793B3E4AF00757F40C818949685851D77CE454CE18
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408250, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AttributesFile
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                    • Opcode ID: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
                                                                                                                                    • Instruction ID: 7aa4b53cbdd50d27f0544b0d73f3b09e9b9e978b4a3a64aa4ec168f40bbc8e5c
                                                                                                                                    • Opcode Fuzzy Hash: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
                                                                                                                                    • Instruction Fuzzy Hash: 89B012B92104005BCF0807349C4904D36505F456317300B3CB033C01F0D730CCA0BA00
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413E4F, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Open
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                    • Opcode ID: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
                                                                                                                                    • Instruction ID: 06f107d5783c69a41ddb44c60f44fa238db6365feab173ebf779541cd7ebc08f
                                                                                                                                    • Opcode Fuzzy Hash: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
                                                                                                                                    • Instruction Fuzzy Hash: E1C09B39544301BFDF114F40FE05F09BB61AB84F05F004414B344240B282714414EB57
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041B76D, Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
                                                                                                                                    • Instruction ID: fa567e0f167378dcabf243c4c44df542d601d1aca3ea04bf4c0b19c361688719
                                                                                                                                    • Opcode Fuzzy Hash: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
                                                                                                                                    • Instruction Fuzzy Hash: 1A317C31901216EFDF14AF25D9817DA73A4FF00B55F14412BF825AB280DB38EDA08BD9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405DEB, Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                      • Part of subcall function 004057D2: SetFilePointerEx.KERNELBASE(004057A8,?,?,00000000,00000000,00000000,00405E25,00000000,00000000,?,00000000,004057A8), ref: 004057EE
                                                                                                                                    • memcpy.MSVCRT ref: 00405E6E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@FilePointermemcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 609303285-0
                                                                                                                                    • Opcode ID: 69c5ce9f8364cb3a2f3d9952414f58f868eb9a31ba510d0c6d062cd66918fe31
                                                                                                                                    • Instruction ID: b6d0ac0748dce8c6543b82d29fb895a5afc24863716f8b43ab814fbacadff293
                                                                                                                                    • Opcode Fuzzy Hash: 69c5ce9f8364cb3a2f3d9952414f58f868eb9a31ba510d0c6d062cd66918fe31
                                                                                                                                    • Instruction Fuzzy Hash: 2F11B272500908BBD711A755C844F9F77ACEF84318F15807BF94573182C738AE068BE9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004060BC, Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2081463915-0
                                                                                                                                    • Opcode ID: 5d18b3e2f7875cbfa1b7883ec22a938669b6fc3c83f0355837b3f79f1fd7a5de
                                                                                                                                    • Instruction ID: 08e2259bb844cdb7583518af71a3b249da553f2a004d57c4b783ea4beab812a3
                                                                                                                                    • Opcode Fuzzy Hash: 5d18b3e2f7875cbfa1b7883ec22a938669b6fc3c83f0355837b3f79f1fd7a5de
                                                                                                                                    • Instruction Fuzzy Hash: 3B118871600605AFDB10DF65C8C199AB7F8FF04314F11853EE416E7281EB34F9158B68
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405740, Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004057C0: CloseHandle.KERNEL32(000000FF,00405750,00000000,?,00409A41,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409F26,?,0040A0FE,000000FF), ref: 004057C8
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00409A41,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409F26,?,0040A0FE,000000FF,00000000,00000104), ref: 004057AD
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2136311172-0
                                                                                                                                    • Opcode ID: 81d98ab7555efe12e5c8b48e24a2d6677c0216f0edfc1775a14d27b6400d9af5
                                                                                                                                    • Instruction ID: 00704370d8ec878584a64fe5f9f18aab24b7d249e6cd1ef38c395e5c556ec921
                                                                                                                                    • Opcode Fuzzy Hash: 81d98ab7555efe12e5c8b48e24a2d6677c0216f0edfc1775a14d27b6400d9af5
                                                                                                                                    • Instruction Fuzzy Hash: 190181B5415A00DFE7205B30C905BA776E8EF51315F10893FE595E72C1EB7C9480DAAE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00409539, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@??3@
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1936579350-0
                                                                                                                                    • Opcode ID: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
                                                                                                                                    • Instruction ID: 8918756149df837d9eea435be632a3e0a17df07a668273fb2c59ff5331204d46
                                                                                                                                    • Opcode Fuzzy Hash: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
                                                                                                                                    • Instruction Fuzzy Hash: 2BC08C724182100AD650FF79280205622D49E82320301882FE091E3142D53848014344
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B1BF, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                    • Opcode ID: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
                                                                                                                                    • Instruction ID: def78aeb235da03500d5bf48ca01037dd20a397eb60980b6de46ef9d9da7be76
                                                                                                                                    • Opcode Fuzzy Hash: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
                                                                                                                                    • Instruction Fuzzy Hash: ACC01272420B018FF7209E11C406722B3E4EF0077BF618C0D909481482C77CD4408A48
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408F1E, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                    • Opcode ID: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
                                                                                                                                    • Instruction ID: eebb639015016b4d35185c1cf15d7584ef51e0a9315dec3cbabf5363aa789e86
                                                                                                                                    • Opcode Fuzzy Hash: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
                                                                                                                                    • Instruction Fuzzy Hash: C5C0127A4107028BF7308F21C509322B2E5AF0072BF708C0D90D081482CB7CD0808A08
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414C5E, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                    • Opcode ID: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
                                                                                                                                    • Instruction ID: c34dd2395d73de7fd8324248a47ac8fcc6ed20e97332430ae650d69d176587ff
                                                                                                                                    • Opcode Fuzzy Hash: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
                                                                                                                                    • Instruction Fuzzy Hash: C8900286455511116C0425756C0760911480892176335074A7032959D1CE1C8150601C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 00408CAC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00408CC4
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408CE3
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00408D03
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                                                    • String ID: .$1k@$nss3.dll
                                                                                                                                    • API String ID: 3541575487-3908353483
                                                                                                                                    • Opcode ID: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
                                                                                                                                    • Instruction ID: f3d79de5d6fec64b9baa04ebfd9a669330ca9081903d010b6bc69252f5057639
                                                                                                                                    • Opcode Fuzzy Hash: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
                                                                                                                                    • Instruction Fuzzy Hash: 6CF0BB759005246BDF205B64EC4C6ABB7BCFF45365F000176ED06A71C1D7749D458A98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00402316, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040233E
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040236E
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040239B
                                                                                                                                    • _wcsicmp.MSVCRT ref: 004023C8
                                                                                                                                      • Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
                                                                                                                                      • Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75
                                                                                                                                    • memset.MSVCRT ref: 0040276C
                                                                                                                                    • memcpy.MSVCRT ref: 004027A1
                                                                                                                                      • Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                      • Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                      • Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                    • memcpy.MSVCRT ref: 004027FD
                                                                                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040285B
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040286A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
                                                                                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                    • API String ID: 462158748-1134094380
                                                                                                                                    • Opcode ID: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
                                                                                                                                    • Instruction ID: 2d0d0591d6411435ed5b4a397348faa82e1f821ad6e98c1f3977ba2ad668a768
                                                                                                                                    • Opcode Fuzzy Hash: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
                                                                                                                                    • Instruction Fuzzy Hash: FBF1F2218087E9C9DB32C7788C097DEBE655B23324F0443D9D1E87A2D2D7B94B85CB66
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00443A61, Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00443A8C
                                                                                                                                    • wcscpy.MSVCRT ref: 00443AA3
                                                                                                                                    • memset.MSVCRT ref: 00443AD6
                                                                                                                                    • wcscpy.MSVCRT ref: 00443AEC
                                                                                                                                    • wcscat.MSVCRT ref: 00443AFD
                                                                                                                                    • wcscpy.MSVCRT ref: 00443B23
                                                                                                                                    • wcscat.MSVCRT ref: 00443B34
                                                                                                                                    • wcscpy.MSVCRT ref: 00443B5B
                                                                                                                                    • wcscat.MSVCRT ref: 00443B6C
                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
                                                                                                                                    • LoadLibraryW.KERNEL32(sqlite3.dll,?,00000000,00000000), ref: 00443BA5
                                                                                                                                    • LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000000,00000000), ref: 00443BB3
                                                                                                                                    • LoadLibraryW.KERNEL32(nss3.dll,?,00000000,00000000), ref: 00443BC3
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00443BF8
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00443C05
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00443C12
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00443C1F
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00443C2C
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00443C39
                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00443C46
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
                                                                                                                                    • String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                                                                    • API String ID: 2522319644-522817110
                                                                                                                                    • Opcode ID: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
                                                                                                                                    • Instruction ID: 5ad66febf3ba3de4182efca1dfca8304e8a02b444a88a93b5109a45c6fbe2280
                                                                                                                                    • Opcode Fuzzy Hash: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
                                                                                                                                    • Instruction Fuzzy Hash: 0E5153B1940719AAEB20FFA28D49F47B6E8AF58B04F1109ABE549D2141E77CE644CF18
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040AA82, Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                    • String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
                                                                                                                                    • API String ID: 2787044678-1843504584
                                                                                                                                    • Opcode ID: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
                                                                                                                                    • Instruction ID: f322a3b8e7f5a6d162087a7bfffa82d5495360e728e73a59fe9151b9b78652c6
                                                                                                                                    • Opcode Fuzzy Hash: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
                                                                                                                                    • Instruction Fuzzy Hash: 8191B271500219ABEF20DF55CC45FEF776DAF91314F01046AF948A7181EA3CEDA48B69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004136DC, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 00413709
                                                                                                                                    • GetDlgItem.USER32 ref: 00413715
                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00413724
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00413730
                                                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 00413739
                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00413745
                                                                                                                                    • GetWindowRect.USER32 ref: 00413757
                                                                                                                                    • GetWindowRect.USER32 ref: 00413762
                                                                                                                                    • MapWindowPoints.USER32 ref: 00413776
                                                                                                                                    • MapWindowPoints.USER32 ref: 00413784
                                                                                                                                    • GetDC.USER32 ref: 004137BD
                                                                                                                                    • wcslen.MSVCRT ref: 004137FD
                                                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0041380E
                                                                                                                                    • ReleaseDC.USER32 ref: 0041385B
                                                                                                                                    • _snwprintf.MSVCRT ref: 0041391E
                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00413932
                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00413950
                                                                                                                                    • GetDlgItem.USER32 ref: 00413986
                                                                                                                                    • GetWindowRect.USER32 ref: 00413996
                                                                                                                                    • MapWindowPoints.USER32 ref: 004139A4
                                                                                                                                    • GetClientRect.USER32 ref: 004139BB
                                                                                                                                    • GetWindowRect.USER32 ref: 004139C5
                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00413A0B
                                                                                                                                    • GetClientRect.USER32 ref: 00413A15
                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00413A4D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                    • API String ID: 2080319088-3046471546
                                                                                                                                    • Opcode ID: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
                                                                                                                                    • Instruction ID: eaed71e83b935c0691042ece96cd3f4181ba93c5b62309cd5e6c1ba419c0f7d3
                                                                                                                                    • Opcode Fuzzy Hash: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
                                                                                                                                    • Instruction Fuzzy Hash: 8AB1CE71108701AFDB21DFA8C985A6BBBF9FB88704F004A2EF59582261DB75E904CF56
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040109F, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                    • String ID: WebBrowserPassView
                                                                                                                                    • API String ID: 829165378-2171583229
                                                                                                                                    • Opcode ID: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
                                                                                                                                    • Instruction ID: da1635bf63897f0d85a147e608c4a0468d220b7f7222c61bbc2b07ca64c81474
                                                                                                                                    • Opcode Fuzzy Hash: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
                                                                                                                                    • Instruction Fuzzy Hash: 4751BF34500B08EBDF22AF60CC45E6E7BB5FB04341F104A3AF952A65F1C7B9A950EB18
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040716C, Relevance: 42.2, APIs: 11, Strings: 13, Instructions: 221COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040AE5E: GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
                                                                                                                                      • Part of subcall function 0040AE5E: CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC
                                                                                                                                      • Part of subcall function 0040AF0C: _wcsicmp.MSVCRT ref: 0040AF46
                                                                                                                                    • memset.MSVCRT ref: 004071FD
                                                                                                                                    • memset.MSVCRT ref: 00407212
                                                                                                                                    • _wtoi.MSVCRT ref: 00407306
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040731A
                                                                                                                                    • memset.MSVCRT ref: 0040733B
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?), ref: 0040736F
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00407386
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040739D
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073B4
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073CB
                                                                                                                                      • Part of subcall function 00407150: _wtoi64.MSVCRT ref: 00407154
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073E2
                                                                                                                                      • Part of subcall function 00406FCE: memset.MSVCRT ref: 00406FF4
                                                                                                                                      • Part of subcall function 00406FCE: memset.MSVCRT ref: 00407008
                                                                                                                                      • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
                                                                                                                                      • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
                                                                                                                                      • Part of subcall function 00406FCE: strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
                                                                                                                                      • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
                                                                                                                                      • Part of subcall function 00406FCE: wcscpy.MSVCRT ref: 0040709D
                                                                                                                                      • Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
                                                                                                                                      • Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$memset$strcpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                    • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$logins$null$passwordField$timeCreated$timeLastUsed$timePasswordChanged$timesUsed$usernameField${@
                                                                                                                                    • API String ID: 249851626-1964116028
                                                                                                                                    • Opcode ID: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
                                                                                                                                    • Instruction ID: c3ecdf3b596e70815539cea729ffc079dd9e4b065ea23c8e33f814b0aa12875c
                                                                                                                                    • Opcode Fuzzy Hash: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
                                                                                                                                    • Instruction Fuzzy Hash: 48717FB1D40219AEEF10EBA2DC82DEEB778EF40318F1041BBB514B61D1DA785E548F69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004113C8, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0041166F
                                                                                                                                    • {Unknown}, xrefs: 00411492
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                                                    • Opcode ID: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
                                                                                                                                    • Instruction ID: 77b13c0c11c75301577e42814f96b51b4b1d428f570956a2458bc96a91f7f52b
                                                                                                                                    • Opcode Fuzzy Hash: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
                                                                                                                                    • Instruction Fuzzy Hash: A17193B280021CBFEF219B51DD45EDA376DEB49355F04407BF608A2162EB79DE848F68
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00411760, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00411781
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
                                                                                                                                    • memset.MSVCRT ref: 004117F1
                                                                                                                                    • wcslen.MSVCRT ref: 004117FE
                                                                                                                                    • wcslen.MSVCRT ref: 0041180D
                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
                                                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
                                                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 004118CC
                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 004118D8
                                                                                                                                      • Part of subcall function 00406B51: memset.MSVCRT ref: 00406B72
                                                                                                                                      • Part of subcall function 00406B51: memset.MSVCRT ref: 00406BBF
                                                                                                                                      • Part of subcall function 00406B51: RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
                                                                                                                                      • Part of subcall function 00406B51: wcscpy.MSVCRT ref: 00406D07
                                                                                                                                      • Part of subcall function 00406B51: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
                                                                                                                                      • Part of subcall function 00406B51: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
                                                                                                                                    • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                    • API String ID: 2554026968-4029219660
                                                                                                                                    • Opcode ID: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
                                                                                                                                    • Instruction ID: 97ddbdf8ae905254a000a89cdfb80c97087349b9056a3f7eb9cac2f120fabdad
                                                                                                                                    • Opcode Fuzzy Hash: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
                                                                                                                                    • Instruction Fuzzy Hash: D2419271940308ABDB20AF61CC85E9AB7F8FF58344F10486FE295D3151EBB8D9848B5C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407991, Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 259COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00411760: memset.MSVCRT ref: 00411781
                                                                                                                                      • Part of subcall function 00411760: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
                                                                                                                                      • Part of subcall function 00411760: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
                                                                                                                                      • Part of subcall function 00411760: memset.MSVCRT ref: 004117F1
                                                                                                                                      • Part of subcall function 00411760: wcslen.MSVCRT ref: 004117FE
                                                                                                                                      • Part of subcall function 00411760: wcslen.MSVCRT ref: 0041180D
                                                                                                                                      • Part of subcall function 00411760: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
                                                                                                                                      • Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
                                                                                                                                      • Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
                                                                                                                                      • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
                                                                                                                                    • memset.MSVCRT ref: 004079D1
                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
                                                                                                                                    • memset.MSVCRT ref: 00407A23
                                                                                                                                    • memset.MSVCRT ref: 00407A3B
                                                                                                                                    • memset.MSVCRT ref: 00407A53
                                                                                                                                    • memset.MSVCRT ref: 00407A6B
                                                                                                                                    • memset.MSVCRT ref: 00407A83
                                                                                                                                    • wcslen.MSVCRT ref: 00407A8E
                                                                                                                                    • wcslen.MSVCRT ref: 00407A9C
                                                                                                                                    • wcslen.MSVCRT ref: 00407ACB
                                                                                                                                    • wcslen.MSVCRT ref: 00407AD9
                                                                                                                                    • wcslen.MSVCRT ref: 00407B08
                                                                                                                                    • wcslen.MSVCRT ref: 00407B16
                                                                                                                                    • wcslen.MSVCRT ref: 00407B45
                                                                                                                                    • wcslen.MSVCRT ref: 00407B53
                                                                                                                                    • wcslen.MSVCRT ref: 00407B82
                                                                                                                                    • wcslen.MSVCRT ref: 00407B90
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                      • Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                      • Part of subcall function 0040744D: memset.MSVCRT ref: 0040748C
                                                                                                                                      • Part of subcall function 0040744D: memset.MSVCRT ref: 0040750B
                                                                                                                                      • Part of subcall function 0040744D: memset.MSVCRT ref: 00407520
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$memset$AddressProc$CurrentDirectory$LibraryLoad$AttributesByteCharFileHandleModuleMultiWidewcscatwcscpy
                                                                                                                                    • String ID: logins.json$signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                                                                                                                    • API String ID: 3287676187-2852686199
                                                                                                                                    • Opcode ID: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
                                                                                                                                    • Instruction ID: 7d0a504a01980ca961e130c4bf0e7e2836c0561e9ae5ad9b50c10663cf81d5b6
                                                                                                                                    • Opcode Fuzzy Hash: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
                                                                                                                                    • Instruction Fuzzy Hash: 1F91947180811DABEF11EF51DC41A9E77B8FF44319F1004ABF908E2191EB79AA548B9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00411158, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
                                                                                                                                    • String ID: General$IsRelative$Path$Profile%d$profiles.ini
                                                                                                                                    • API String ID: 3014334669-2600475665
                                                                                                                                    • Opcode ID: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
                                                                                                                                    • Instruction ID: c42e31a804922eed0ec5ba890dd8b4603cdc71837868ac6ae30ebb97505d8267
                                                                                                                                    • Opcode Fuzzy Hash: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
                                                                                                                                    • Instruction Fuzzy Hash: 7D51557290122CAAEB20EB55CD45FDEB7BCAF55344F1040E7B508A2151EF789B848F99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040EB6D, Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 274windowregistryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B5D4: LoadMenuW.USER32 ref: 0040B5DC
                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 0040EC7A
                                                                                                                                    • CreateStatusWindowW.COMCTL32(50000000,Function_0004552C,?,00000101), ref: 0040EC95
                                                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040ECAD
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040ECBC
                                                                                                                                    • LoadImageW.USER32 ref: 0040ECC9
                                                                                                                                    • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040ECF3
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040ED00
                                                                                                                                    • CreateWindowExW.USER32 ref: 0040ED27
                                                                                                                                    • memcpy.MSVCRT ref: 0040EDEF
                                                                                                                                    • ShowWindow.USER32(?,?), ref: 0040EE25
                                                                                                                                    • GetFileAttributesW.KERNEL32(00453928), ref: 0040EE56
                                                                                                                                    • GetTempPathW.KERNEL32(00000104,00453928), ref: 0040EE66
                                                                                                                                    • wcslen.MSVCRT ref: 0040EE6D
                                                                                                                                    • wcslen.MSVCRT ref: 0040EE7B
                                                                                                                                    • RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 0040EEC8
                                                                                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 0040EF02
                                                                                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040EF15
                                                                                                                                      • Part of subcall function 00403D7A: wcslen.MSVCRT ref: 00403D97
                                                                                                                                      • Part of subcall function 00403D7A: SendMessageW.USER32(?,00001061,?,?), ref: 00403DBB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message$SendWindow$Createwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterShowStatusTempToolbarmemcpy
                                                                                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                    • API String ID: 1225797202-2103577948
                                                                                                                                    • Opcode ID: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
                                                                                                                                    • Instruction ID: 8c9b3575536fccf7ef0877cb0e8d9f23cb5666ec72f10922821c14b88f39767b
                                                                                                                                    • Opcode Fuzzy Hash: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
                                                                                                                                    • Instruction Fuzzy Hash: B5B1A271540388AFEF11DF64CC89BCA7FA5AF55304F0404BAFA48AF292C7B99544CB69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403768, Relevance: 36.1, APIs: 24, Instructions: 84windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0B9
                                                                                                                                      • Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0CE
                                                                                                                                      • Part of subcall function 0040E076: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
                                                                                                                                      • Part of subcall function 0040E076: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
                                                                                                                                      • Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
                                                                                                                                      • Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
                                                                                                                                      • Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
                                                                                                                                      • Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
                                                                                                                                      • Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
                                                                                                                                      • Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
                                                                                                                                      • Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E19F
                                                                                                                                      • Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
                                                                                                                                      • Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E1BC
                                                                                                                                      • Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
                                                                                                                                      • Part of subcall function 0040E076: GetSysColor.USER32(0000000F), ref: 0040E1D5
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040377A
                                                                                                                                    • LoadIconW.USER32(00000000,00000072), ref: 00403785
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403796
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040379A
                                                                                                                                    • LoadIconW.USER32(00000000,00000074), ref: 0040379F
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 004037AA
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037AE
                                                                                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004037B3
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 004037BE
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037C2
                                                                                                                                    • LoadIconW.USER32(00000000,00000075), ref: 004037C7
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 004037D2
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037D6
                                                                                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 004037DB
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 004037E6
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037EA
                                                                                                                                    • LoadIconW.USER32(00000000,00000076), ref: 004037EF
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 004037FA
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004037FE
                                                                                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403803
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000006,00000000), ref: 0040380E
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403812
                                                                                                                                    • LoadIconW.USER32(00000000,00000070), ref: 00403817
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000007,00000000), ref: 00403822
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconImage$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 715923342-0
                                                                                                                                    • Opcode ID: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
                                                                                                                                    • Instruction ID: b7e10a9324f3d83bf9194ece928487740f847c1137f1a2c01f1b8e69b6e47de2
                                                                                                                                    • Opcode Fuzzy Hash: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
                                                                                                                                    • Instruction Fuzzy Hash: 1711F160B857087AFA3137B2DC4BF7B7A5EDF81B85F114414F35D990E0C9E6AC105928
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00443D20, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00443D51
                                                                                                                                    • GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
                                                                                                                                    • VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
                                                                                                                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
                                                                                                                                    • _snwprintf.MSVCRT ref: 00443DD1
                                                                                                                                    • wcscpy.MSVCRT ref: 00443DFB
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00443EAB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                    • API String ID: 1223191525-1542517562
                                                                                                                                    • Opcode ID: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
                                                                                                                                    • Instruction ID: f644ee0d2354bfc8442d092a800b66c1527b1609597f5fb91e8fdc391f94498a
                                                                                                                                    • Opcode Fuzzy Hash: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
                                                                                                                                    • Instruction Fuzzy Hash: 164133B2900218BAEB04EFA1DD82DDEB7BCAF48704F110517B515A3142DB78EA559BA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E076, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040E0B9
                                                                                                                                    • memset.MSVCRT ref: 0040E0CE
                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
                                                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E117
                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E122
                                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
                                                                                                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
                                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
                                                                                                                                    • LoadImageW.USER32 ref: 0040E19F
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
                                                                                                                                    • LoadImageW.USER32 ref: 0040E1BC
                                                                                                                                    • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0040E1D5
                                                                                                                                    • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040E1F0
                                                                                                                                    • ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040E200
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040E20C
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040E212
                                                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040E22F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 304928396-0
                                                                                                                                    • Opcode ID: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
                                                                                                                                    • Instruction ID: d1f198460081c9bd407666b3734bdbb6004887ae833e7bd4338906f330e243fe
                                                                                                                                    • Opcode Fuzzy Hash: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
                                                                                                                                    • Instruction Fuzzy Hash: F241E975640704BFEB20AF70DC4AF9777ADFB09705F000829F399A91D1CAF5A8508B29
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406B51, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 198registrytimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00406B72
                                                                                                                                      • Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                    • _wcsnicmp.MSVCRT ref: 00406BE5
                                                                                                                                    • memset.MSVCRT ref: 00406C09
                                                                                                                                    • memset.MSVCRT ref: 00406C25
                                                                                                                                    • _snwprintf.MSVCRT ref: 00406C45
                                                                                                                                    • wcsrchr.MSVCRT ref: 00406C6C
                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000), ref: 00406C9F
                                                                                                                                    • wcscpy.MSVCRT ref: 00406CC1
                                                                                                                                    • memset.MSVCRT ref: 00406BBF
                                                                                                                                      • Part of subcall function 00413EE6: RegEnumKeyExW.ADVAPI32(00000000,00411799,00411799,?,00000000,00000000,00000000,00411799,00411799,00000000), ref: 00413F09
                                                                                                                                    • RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
                                                                                                                                    • wcscpy.MSVCRT ref: 00406D07
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
                                                                                                                                    • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                                                                    • API String ID: 1094916163-2797892316
                                                                                                                                    • Opcode ID: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
                                                                                                                                    • Instruction ID: 3a0c8bae75b73356f025c28445405007b897e2e36fb84af6dfbdfac580efd4a0
                                                                                                                                    • Opcode Fuzzy Hash: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
                                                                                                                                    • Instruction Fuzzy Hash: 9961BBB2D04229AAEF20EBA1CC45BDF77BCFF45344F010476E909F2181EB795A548B59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414847, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                                                    • Opcode ID: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
                                                                                                                                    • Instruction ID: 7b6d47d0ae84673c1440bb3f6a45a38d491a9b2de853a8b7013f3412f20213e7
                                                                                                                                    • Opcode Fuzzy Hash: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
                                                                                                                                    • Instruction Fuzzy Hash: FC31B9B6504305BAF720EA55DD86EAB73BCDBC1714F20406FF214B2182EB7C99858A5D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004118EA, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
                                                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
                                                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
                                                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
                                                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
                                                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
                                                                                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
                                                                                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                    • API String ID: 667068680-2887671607
                                                                                                                                    • Opcode ID: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
                                                                                                                                    • Instruction ID: 49f1c8a85f5507baf9409120c02bba5f1b3352987f0cf3d6caa0177263683d24
                                                                                                                                    • Opcode Fuzzy Hash: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
                                                                                                                                    • Instruction Fuzzy Hash: 6C01C8F5D80314BADB216FB1AC8AA053EA5F71C7D3710883BE42452272D778C610CE9C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D399, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                    • API String ID: 1607361635-601624466
                                                                                                                                    • Opcode ID: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
                                                                                                                                    • Instruction ID: 86ecdfe433e0374b5ced7b433421c6295f8700cac4d68a1fbb2313435c6baabf
                                                                                                                                    • Opcode Fuzzy Hash: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
                                                                                                                                    • Instruction Fuzzy Hash: 6561A171900208EFEF14EF94CC85EAE7B79EF45314F1001AAF815A72D2DB38AA55CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D9D6, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                                                    • Opcode ID: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
                                                                                                                                    • Instruction ID: d19b445dff31b0d86a25f5297df5c333c47444227bfe33656549cbc54b746d40
                                                                                                                                    • Opcode Fuzzy Hash: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
                                                                                                                                    • Instruction Fuzzy Hash: 1D4142B1D40219AAEB20EF95CC85FFB737CFF45304F4540ABB918A2191E7389A948F65
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BD50, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040BD76
                                                                                                                                    • memset.MSVCRT ref: 0040BD92
                                                                                                                                      • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                      • Part of subcall function 00443D20: GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
                                                                                                                                      • Part of subcall function 00443D20: ??2@YAPAXI@Z.MSVCRT ref: 00443D51
                                                                                                                                      • Part of subcall function 00443D20: GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
                                                                                                                                      • Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
                                                                                                                                      • Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
                                                                                                                                      • Part of subcall function 00443D20: _snwprintf.MSVCRT ref: 00443DD1
                                                                                                                                      • Part of subcall function 00443D20: wcscpy.MSVCRT ref: 00443DFB
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BDD6
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BDE5
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BDF5
                                                                                                                                    • EnumResourceNamesW.KERNEL32(0040BEF4,00000004,0040BB24,00000000), ref: 0040BE5A
                                                                                                                                    • EnumResourceNamesW.KERNEL32(0040BEF4,00000005,0040BB24,00000000), ref: 0040BE64
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BE6C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                    • API String ID: 3037099051-517860148
                                                                                                                                    • Opcode ID: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
                                                                                                                                    • Instruction ID: d02a95b1ac945ad733c6c475c60bd1556454897fd3a1253caa6bc47d13ece21f
                                                                                                                                    • Opcode Fuzzy Hash: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
                                                                                                                                    • Instruction Fuzzy Hash: AD21A9B294021876EB20BB529C46FCB7B6CDF55754F00047BF50871192DBBC9A94C6EE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403C2A, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
                                                                                                                                    • API String ID: 2238633743-1621422469
                                                                                                                                    • Opcode ID: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
                                                                                                                                    • Instruction ID: d7a6577b60cfc464e8e16958ee64dd601e1a2e2a5708563609cb1b578f097ad1
                                                                                                                                    • Opcode Fuzzy Hash: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
                                                                                                                                    • Instruction Fuzzy Hash: A2F0F974940B44AFEF306F769D49E06BEF0EFA87017214D2EE0C1A3651D7B99100CE48
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407737, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00407C89,?,?,?,0000001E), ref: 00407760
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00407774
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    • memset.MSVCRT ref: 004077A6
                                                                                                                                    • memset.MSVCRT ref: 004077C8
                                                                                                                                    • memset.MSVCRT ref: 004077DD
                                                                                                                                    • strcmp.MSVCRT ref: 0040781C
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078B2
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078D1
                                                                                                                                    • memset.MSVCRT ref: 004078E5
                                                                                                                                    • strcmp.MSVCRT ref: 00407949
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040797B
                                                                                                                                    • CloseHandle.KERNEL32(?,?,00407C89,?,?,?,0000001E), ref: 00407984
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$File$strcmpstrcpy$??2@??3@CloseCreateHandleReadSize
                                                                                                                                    • String ID: ---
                                                                                                                                    • API String ID: 3751793120-2854292027
                                                                                                                                    • Opcode ID: 2a857cbeb5ab5e1bd89b1bc0351e99f96f5a4f3ec23066d0f11bd49c9005f69b
                                                                                                                                    • Instruction ID: 5eab4b77d8efc932d29ad1d752f1a4839dd8d7bf75d011c8978729a0abaaed7e
                                                                                                                                    • Opcode Fuzzy Hash: 2a857cbeb5ab5e1bd89b1bc0351e99f96f5a4f3ec23066d0f11bd49c9005f69b
                                                                                                                                    • Instruction Fuzzy Hash: 856159B2C0416D9ADF20EB948C859DEBB7C9B15314F1041FBE518B3141DA385FC4CBA9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00412F99, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(psapi.dll,?,00411582), ref: 00412FAC
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412FC5
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412FD6
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00412FE7
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00412FF8
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413009
                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413029
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                    • API String ID: 2449869053-70141382
                                                                                                                                    • Opcode ID: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
                                                                                                                                    • Instruction ID: 777907c91c3138f07d32b7effc6a6e277a0cb3bdfe1d402d2202e46302417196
                                                                                                                                    • Opcode Fuzzy Hash: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
                                                                                                                                    • Instruction Fuzzy Hash: B5014030940715AAD7318F256E44B6A2EE4E759B83B14002BA404D2A5AEBB8D941DBAC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FDE0, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                    • API String ID: 2081463915-1959339147
                                                                                                                                    • Opcode ID: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
                                                                                                                                    • Instruction ID: 6ae1867121f1a9de607d4cf96a2848453b881622ab493d5bc2878352e6736150
                                                                                                                                    • Opcode Fuzzy Hash: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
                                                                                                                                    • Instruction Fuzzy Hash: 4D01EC6328A32164F97469A7AC07F8B0A49CBD2F7AF71543BF904D41C6FF8D944560AC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00412F15, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00411589), ref: 00412F24
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00412F3D
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00412F4E
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00412F5F
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00412F70
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00412F81
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                    • Opcode ID: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
                                                                                                                                    • Instruction ID: 90193f1111e05c4afbc6439255eabbfb584b4719c6c3eda45dffcf0f008ca331
                                                                                                                                    • Opcode Fuzzy Hash: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
                                                                                                                                    • Instruction Fuzzy Hash: 6BF08B30941321AEAB208F295F40F6729B4E745BCAF140037B404D1655DBE8C453DF7D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403B29, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00403BA4: FreeLibrary.KERNEL32(?,00403B31,00000000,00409589,?,00000000,?), ref: 00403BAB
                                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
                                                                                                                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
                                                                                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                    • API String ID: 2449869053-4258758744
                                                                                                                                    • Opcode ID: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
                                                                                                                                    • Instruction ID: 8f7743962e36341c748a679f4d1b70e48ab6ec882cd35c5a4d1c5c737e04e9f5
                                                                                                                                    • Opcode Fuzzy Hash: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
                                                                                                                                    • Instruction Fuzzy Hash: 4F011A34500B419BDB31AF768809E0ABBF4EF94709B20882FE091A3692D6BDB140CF48
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040F99D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0040FA22
                                                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 0040FA30
                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0040FA45
                                                                                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040FA79
                                                                                                                                    • SelectObject.GDI32(00000014,00000005), ref: 0040FA85
                                                                                                                                      • Part of subcall function 0040F7F1: GetCursorPos.USER32(?), ref: 0040F7FB
                                                                                                                                      • Part of subcall function 0040F7F1: GetSubMenu.USER32 ref: 0040F809
                                                                                                                                      • Part of subcall function 0040F7F1: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040F83A
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040FAA0
                                                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 0040FAA9
                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040FAB0
                                                                                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040FAF4
                                                                                                                                    • memcpy.MSVCRT ref: 0040FB3D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Cursor$MenuObjectSelectText$ColorDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
                                                                                                                                    • String ID: WebBrowserPassView
                                                                                                                                    • API String ID: 3991541706-2171583229
                                                                                                                                    • Opcode ID: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
                                                                                                                                    • Instruction ID: d9273dffa9cc4a7b5f3d28471e210e7f23542924c6da0ead56af32090a150d55
                                                                                                                                    • Opcode Fuzzy Hash: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
                                                                                                                                    • Instruction Fuzzy Hash: 3C51F431600105ABDB34AF64C895B6A77B6BF48310F104137F909AB6E1DB78EC55CF89
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E9E8, Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetClientRect.USER32 ref: 0040EA07
                                                                                                                                    • GetWindowRect.USER32 ref: 0040EA1D
                                                                                                                                    • GetWindowRect.USER32 ref: 0040EA33
                                                                                                                                    • GetDlgItem.USER32 ref: 0040EA6D
                                                                                                                                    • GetWindowRect.USER32 ref: 0040EA74
                                                                                                                                    • MapWindowPoints.USER32 ref: 0040EA84
                                                                                                                                    • BeginDeferWindowPos.USER32 ref: 0040EAA8
                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040EACB
                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040EAEA
                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 0040EB15
                                                                                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 0040EB2D
                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040EB32
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 552707033-0
                                                                                                                                    • Opcode ID: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
                                                                                                                                    • Instruction ID: dc3f1f52df5294a2ec978d0ae6c3ccd5c38b38754740f987f7490d1c54cf7de8
                                                                                                                                    • Opcode Fuzzy Hash: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
                                                                                                                                    • Instruction Fuzzy Hash: 9141B275A00609BFEF11DFA8CD89FEEBBBAFB48304F100465E615A61A0C7716A50DB14
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A230, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040A401,?,?,*.*,0040A46B,00000000), ref: 0040A250
                                                                                                                                      • Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040A280
                                                                                                                                      • Part of subcall function 0040A19F: _memicmp.MSVCRT ref: 0040A1B9
                                                                                                                                      • Part of subcall function 0040A19F: memcpy.MSVCRT ref: 0040A1D0
                                                                                                                                    • memcpy.MSVCRT ref: 0040A2C7
                                                                                                                                    • strchr.MSVCRT ref: 0040A2EC
                                                                                                                                    • strchr.MSVCRT ref: 0040A2FD
                                                                                                                                    • _strlwr.MSVCRT ref: 0040A30B
                                                                                                                                    • memset.MSVCRT ref: 0040A326
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040A373
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                    • String ID: 4$h
                                                                                                                                    • API String ID: 4066021378-1856150674
                                                                                                                                    • Opcode ID: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
                                                                                                                                    • Instruction ID: 17f5db22f20d9ae327a0934dc0a50b98bc11baf633b6527cb3b89d44c7cb3914
                                                                                                                                    • Opcode Fuzzy Hash: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
                                                                                                                                    • Instruction Fuzzy Hash: 3D31A271900218BFEB11EBA4CC85FEE77ACEB45354F10406AFA08E6181E7399F558B69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413F4B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                    • String ID: %%0.%df
                                                                                                                                    • API String ID: 3473751417-763548558
                                                                                                                                    • Opcode ID: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
                                                                                                                                    • Instruction ID: 0b838db9f825932711660ea6569b586705b9a26b63b1a47a63d1f68ae8ff407c
                                                                                                                                    • Opcode Fuzzy Hash: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
                                                                                                                                    • Instruction Fuzzy Hash: 86313271900129BBEB20DF55CC85FEB7B7CEF89304F0100EAF509A2112EB789A54CB69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004055D0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004055F3
                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 00405603
                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 00405614
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405637
                                                                                                                                    • GetParent.USER32(?), ref: 00405662
                                                                                                                                    • SendMessageW.USER32(00000000), ref: 00405669
                                                                                                                                    • BeginDeferWindowPos.USER32 ref: 00405677
                                                                                                                                    • EndDeferWindowPos.USER32(00000000), ref: 004056C7
                                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004056D3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                    • String ID: A
                                                                                                                                    • API String ID: 2892645895-3554254475
                                                                                                                                    • Opcode ID: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
                                                                                                                                    • Instruction ID: 7dfccb24d1e076f690be31caf06a6d4f547633615caf0f8568b2f3749d1e3a55
                                                                                                                                    • Opcode Fuzzy Hash: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
                                                                                                                                    • Instruction Fuzzy Hash: 1D317E75640B04BBEB201F659C85F6B7B6AFB44741F50883AF30A7A1E1C7F698908E58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E29C, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 0040E378
                                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 0040E2AC
                                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040E319
                                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 0040E33C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                    • API String ID: 1283228442-2366825230
                                                                                                                                    • Opcode ID: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
                                                                                                                                    • Instruction ID: dd7614801a102cad1738161c6781c4b5767366b5b9f47406b9b80e8d834f6cb8
                                                                                                                                    • Opcode Fuzzy Hash: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
                                                                                                                                    • Instruction Fuzzy Hash: C82154B69002186BDB21EBA5CC45F9A77BCEF4D785F0440AAF50893151DB38DB848B59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413031, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcschr.MSVCRT ref: 0041304A
                                                                                                                                    • wcscpy.MSVCRT ref: 0041305A
                                                                                                                                      • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
                                                                                                                                      • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
                                                                                                                                      • Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3
                                                                                                                                    • wcscpy.MSVCRT ref: 004130A9
                                                                                                                                    • wcscat.MSVCRT ref: 004130B4
                                                                                                                                    • memset.MSVCRT ref: 00413090
                                                                                                                                      • Part of subcall function 00408463: GetWindowsDirectoryW.KERNEL32(00453718,00000104,?,004130E9,?,?,00000000,00000208,-00000028), ref: 00408479
                                                                                                                                      • Part of subcall function 00408463: wcscpy.MSVCRT ref: 00408489
                                                                                                                                    • memset.MSVCRT ref: 004130D8
                                                                                                                                    • memcpy.MSVCRT ref: 004130F3
                                                                                                                                    • wcscat.MSVCRT ref: 004130FF
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                    • String ID: \systemroot
                                                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                                                    • Opcode ID: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
                                                                                                                                    • Instruction ID: 36f3f6f0360cce9f0c7183545ae4e1e5b3fba08c84210a6b9e93ac32fafd8b1c
                                                                                                                                    • Opcode Fuzzy Hash: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
                                                                                                                                    • Instruction Fuzzy Hash: 9A21D7B640530469E721EBB19C86FEB63EC9F46715F20415FB115A2082FB7CAA84475E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040744D, Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 251stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00443A61: memset.MSVCRT ref: 00443A8C
                                                                                                                                      • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AA3
                                                                                                                                      • Part of subcall function 00443A61: memset.MSVCRT ref: 00443AD6
                                                                                                                                      • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AEC
                                                                                                                                      • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443AFD
                                                                                                                                      • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B23
                                                                                                                                      • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B34
                                                                                                                                      • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B5B
                                                                                                                                      • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B6C
                                                                                                                                      • Part of subcall function 00443A61: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
                                                                                                                                      • Part of subcall function 00443A61: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
                                                                                                                                      • Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
                                                                                                                                      • Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
                                                                                                                                    • memset.MSVCRT ref: 0040748C
                                                                                                                                      • Part of subcall function 00408C5E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,00402A35,?,?), ref: 00408C77
                                                                                                                                    • memset.MSVCRT ref: 0040750B
                                                                                                                                    • memset.MSVCRT ref: 00407520
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040765C
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407672
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407688
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040769E
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076B4
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076CA
                                                                                                                                    • memset.MSVCRT ref: 004076E0
                                                                                                                                    Strings
                                                                                                                                    • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins, xrefs: 004074D2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
                                                                                                                                    • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins
                                                                                                                                    • API String ID: 2096775815-1337997248
                                                                                                                                    • Opcode ID: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
                                                                                                                                    • Instruction ID: 3c2b171134edc849c89bfde98875369ff40149e6fc896e2c8c158776e68e1888
                                                                                                                                    • Opcode Fuzzy Hash: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
                                                                                                                                    • Instruction Fuzzy Hash: 61912A72C0425EAFDF10DF94DC819DEBBB4EF04315F10406BE505B2191EA39AA94CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417F9B, Relevance: 16.6, APIs: 11, Instructions: 88COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
                                                                                                                                    • malloc.MSVCRT ref: 00417FD2
                                                                                                                                    • free.MSVCRT(?), ref: 00417FE2
                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00417FF6
                                                                                                                                    • free.MSVCRT(?), ref: 00417FFB
                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00418011
                                                                                                                                    • malloc.MSVCRT ref: 00418019
                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 0041802C
                                                                                                                                    • free.MSVCRT(?), ref: 00418031
                                                                                                                                    • free.MSVCRT(?), ref: 00418045
                                                                                                                                    • free.MSVCRT(00000000,0044C838,00000000), ref: 00418064
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$FullNamePath$malloc$Version
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3356672799-0
                                                                                                                                    • Opcode ID: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
                                                                                                                                    • Instruction ID: e19f7d1979d0248284e652c075024004b82b0c137a295abbe9fd7512c3376d02
                                                                                                                                    • Opcode Fuzzy Hash: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
                                                                                                                                    • Instruction Fuzzy Hash: AA218675904118BFEF10BBA5EC46CDF7FB9DF41398B22016BF404A2161DE395E819968
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407F9A, Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EmptyClipboard.USER32 ref: 00407FA4
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00407FC1
                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 00407FD2
                                                                                                                                    • GlobalLock.KERNEL32 ref: 00407FDF
                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407FF2
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00408004
                                                                                                                                    • SetClipboardData.USER32 ref: 0040800D
                                                                                                                                    • GetLastError.KERNEL32 ref: 00408015
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00408021
                                                                                                                                    • GetLastError.KERNEL32 ref: 0040802C
                                                                                                                                    • CloseClipboard.USER32 ref: 00408035
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3604893535-0
                                                                                                                                    • Opcode ID: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
                                                                                                                                    • Instruction ID: 9cea1fd89fc17267dcd3af91661d4008ede421ba1dc4d9805cb8839a0273d96b
                                                                                                                                    • Opcode Fuzzy Hash: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
                                                                                                                                    • Instruction Fuzzy Hash: 71113D7A900A04FBDF105FB0ED4CB9E7BB8EB45365F100176F942E52A2DB748904DB68
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004144DA, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy
                                                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                    • API String ID: 1284135714-318151290
                                                                                                                                    • Opcode ID: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
                                                                                                                                    • Instruction ID: 0ebae4f713cd0728fe49c3fef23c10be13eea51f6af137ba8aced86fbfd041bd
                                                                                                                                    • Opcode Fuzzy Hash: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
                                                                                                                                    • Instruction Fuzzy Hash: 59F0BBB169462D73342E25B85806AF70483F0C1B0537E45537702EA6D6EA4CCAC1E89F
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B478, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                    • String ID: 0$6
                                                                                                                                    • API String ID: 4066108131-3849865405
                                                                                                                                    • Opcode ID: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
                                                                                                                                    • Instruction ID: bceec671b1c8862383177497c079c71e13407bcb6d3a60011dae78a89f936b1e
                                                                                                                                    • Opcode Fuzzy Hash: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
                                                                                                                                    • Instruction Fuzzy Hash: 65315BB2408340AFDB109F95DC44A9BB7E8FF89318F00487FF948A2291D779D905CB9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403C8C, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
                                                                                                                                    • #17.COMCTL32(?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CDF
                                                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                                    • Opcode ID: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
                                                                                                                                    • Instruction ID: 34266bbb316567afe830504356b8b6584aa457591d2bf79f0dcd5bedfca56d80
                                                                                                                                    • Opcode Fuzzy Hash: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
                                                                                                                                    • Instruction Fuzzy Hash: B801D676754B116BEB215F649C89B6B7D9CEF42B4AB004039F502F2181DAB8DE0196A8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041171B, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041172A
                                                                                                                                    • GetModuleHandleW.KERNEL32(sqlite3.dll,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411733
                                                                                                                                    • GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041173C
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041174B
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411752
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411759
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeHandleLibraryModule
                                                                                                                                    • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                                                                    • API String ID: 662261464-3550686275
                                                                                                                                    • Opcode ID: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
                                                                                                                                    • Instruction ID: e2ab39130582ef49d5f09875a9cbab8dc3c3c45014a759ddc4c6379760142a6f
                                                                                                                                    • Opcode Fuzzy Hash: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
                                                                                                                                    • Instruction Fuzzy Hash: 7AE04F66F4136DA79A1027F66C84EAB6F5CC896AA13150037AF05A33519EA89C018AF9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004440EA, Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memchrmemset
                                                                                                                                    • String ID: UCD$UCD
                                                                                                                                    • API String ID: 1581201632-670880344
                                                                                                                                    • Opcode ID: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
                                                                                                                                    • Instruction ID: 346eebee7d7e8b6f8d140da3993cfc901939ed9edb34b9035315ebb9ce6523fc
                                                                                                                                    • Opcode Fuzzy Hash: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
                                                                                                                                    • Instruction Fuzzy Hash: 8551D3719001195BEB10EFA8CC95FEEB7B8AF85300F0444ABF955E7281E778E644CB64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004085D0, Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetSystemMetrics.USER32 ref: 004085E9
                                                                                                                                    • GetSystemMetrics.USER32 ref: 004085EF
                                                                                                                                    • GetDC.USER32(00000000), ref: 004085FC
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040860D
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408614
                                                                                                                                    • ReleaseDC.USER32 ref: 0040861B
                                                                                                                                    • GetWindowRect.USER32 ref: 0040862E
                                                                                                                                    • GetParent.USER32(?), ref: 00408633
                                                                                                                                    • GetWindowRect.USER32 ref: 00408650
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004086AF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2163313125-0
                                                                                                                                    • Opcode ID: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
                                                                                                                                    • Instruction ID: 6b5921239ffcae24bde8aad05d59603f054fe97e3a0e5988cf4f66e7c2dd28aa
                                                                                                                                    • Opcode Fuzzy Hash: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
                                                                                                                                    • Instruction Fuzzy Hash: 2E31A475A00609AFDF04CFB8CD85AEEBBB9FB48350F050539E901F3291DA71ED418A94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00402D82, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$wcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3592753638-3916222277
                                                                                                                                    • Opcode ID: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
                                                                                                                                    • Instruction ID: 99c2379fcd531e162887146704610c03ee1d54022b9859d6cf2ce1b1ac3fe7c7
                                                                                                                                    • Opcode Fuzzy Hash: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
                                                                                                                                    • Instruction Fuzzy Hash: 87616630408342DBDB68AF11D64852FB7B1FF84755F90093FF482A22D0D7B88989DB9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BB24, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadMenuW.USER32 ref: 0040BB4B
                                                                                                                                      • Part of subcall function 0040B974: GetMenuItemCount.USER32 ref: 0040B98A
                                                                                                                                      • Part of subcall function 0040B974: memset.MSVCRT ref: 0040B9A9
                                                                                                                                      • Part of subcall function 0040B974: GetMenuItemInfoW.USER32 ref: 0040B9E5
                                                                                                                                      • Part of subcall function 0040B974: wcschr.MSVCRT ref: 0040B9FD
                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 0040BB69
                                                                                                                                    • CreateDialogParamW.USER32 ref: 0040BBB7
                                                                                                                                    • memset.MSVCRT ref: 0040BBD3
                                                                                                                                    • GetWindowTextW.USER32 ref: 0040BBE8
                                                                                                                                    • EnumChildWindows.USER32 ref: 0040BC13
                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0040BC1A
                                                                                                                                      • Part of subcall function 0040B7A3: _snwprintf.MSVCRT ref: 0040B7C8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
                                                                                                                                    • String ID: caption
                                                                                                                                    • API String ID: 1928666178-4135340389
                                                                                                                                    • Opcode ID: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
                                                                                                                                    • Instruction ID: e22aff4ff37d874dc9406bb5861836d8cb00257f57c634ff68b223b0e4ee6d7d
                                                                                                                                    • Opcode Fuzzy Hash: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
                                                                                                                                    • Instruction Fuzzy Hash: 6821A172500218ABEF21AF50EC49EAF3B78FF46754F00447AF905A5192DB789990CBDE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408AE8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                    • String ID: %s (%s)$TK@
                                                                                                                                    • API String ID: 3979103747-3557169880
                                                                                                                                    • Opcode ID: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
                                                                                                                                    • Instruction ID: e896be4b8b4c8dd321127e9193ea498031fb30aa9e34a4c02f498fe4f9df0790
                                                                                                                                    • Opcode Fuzzy Hash: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
                                                                                                                                    • Instruction Fuzzy Hash: 6F2162B2800118ABDF20DF95CC45E8AB7B8FF44318F05846AEA48A7106DB78E618CBD4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407CF6, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000,?,0040FF40,00000000), ref: 00407D1B
                                                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5), ref: 00407D39
                                                                                                                                    • wcslen.MSVCRT ref: 00407D46
                                                                                                                                    • wcscpy.MSVCRT ref: 00407D56
                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000), ref: 00407D60
                                                                                                                                    • wcscpy.MSVCRT ref: 00407D70
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                                                    • API String ID: 2767993716-572158859
                                                                                                                                    • Opcode ID: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
                                                                                                                                    • Instruction ID: f6f7092b450fef05d0d872bf5e04b1357ca4228fed94eee9f5e7a838667149bb
                                                                                                                                    • Opcode Fuzzy Hash: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
                                                                                                                                    • Instruction Fuzzy Hash: D201F771A041147BFB1527A0EC4AFAF7B6CDF567A1F20003AF506B10D1EA786E00D6AD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BC8A, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BCA4
                                                                                                                                    • wcscpy.MSVCRT ref: 0040BCB4
                                                                                                                                    • GetPrivateProfileIntW.KERNEL32 ref: 0040BCC5
                                                                                                                                      • Part of subcall function 0040B82A: GetPrivateProfileStringW.KERNEL32 ref: 0040B846
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                                                    • Opcode ID: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
                                                                                                                                    • Instruction ID: d09d9999bd57a78b58a4055e383115949195630bbf49bad653da3d74dfc2830b
                                                                                                                                    • Opcode Fuzzy Hash: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
                                                                                                                                    • Instruction Fuzzy Hash: 8AF0C232EC0A5137EB1137221D03F2A2608CF92B57F15847BB904762D3DA7C4A15D2DE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042EE6A, Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • out of memory, xrefs: 0042F0D8
                                                                                                                                    • database %s is already in use, xrefs: 0042EF3B
                                                                                                                                    • too many attached databases - max %d, xrefs: 0042EEC3
                                                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042EED9
                                                                                                                                    • database is already attached, xrefs: 0042EF94
                                                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042EFE2
                                                                                                                                    • unable to open database: %s, xrefs: 0042F0C1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpymemset
                                                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                                                    • Opcode ID: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
                                                                                                                                    • Instruction ID: af9b9ef2f5a1795804296138b741be62980529f77760b3752da5ffa5b8d2aff6
                                                                                                                                    • Opcode Fuzzy Hash: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
                                                                                                                                    • Instruction Fuzzy Hash: E991E370B00311EFEB10DF66D581BAAB7F0AF44308F94846FE8559B242D778E945CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040C33A, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C37A
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C396
                                                                                                                                    • memcpy.MSVCRT ref: 0040C3BB
                                                                                                                                    • memcpy.MSVCRT ref: 0040C3CF
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C452
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C45C
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040C494
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                      • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                      • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                      • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                    • String ID: 8"E$d
                                                                                                                                    • API String ID: 1140211610-2418960419
                                                                                                                                    • Opcode ID: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
                                                                                                                                    • Instruction ID: ebdbfbf94f53a3690cf38ac0907b9363cbed6c4ceb444703d02dc3853126dfb0
                                                                                                                                    • Opcode Fuzzy Hash: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
                                                                                                                                    • Instruction Fuzzy Hash: 3851AE726007049FD724DF29C586B5AB7E4FF48314F10862EE95ADB391DB78E5408B48
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004171A2, Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004171FA
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 00417204
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417216
                                                                                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004172EE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3015003838-0
                                                                                                                                    • Opcode ID: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
                                                                                                                                    • Instruction ID: b1728a7637de8f6c0c3372c087848d546b31592ea547c84e90bff2a5ea0aeb9c
                                                                                                                                    • Opcode Fuzzy Hash: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
                                                                                                                                    • Instruction Fuzzy Hash: 2F41F27550C702AFE7218F20DC01BA7B7F1AB90B14F20496EF59552381DBB9D9C68B1E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417E39, Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E63
                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 00417E6A
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417E77
                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00417E8C
                                                                                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E95
                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00417E9C
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417EA9
                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00417EBE
                                                                                                                                    • free.MSVCRT(00000000), ref: 00417EC7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2802642348-0
                                                                                                                                    • Opcode ID: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
                                                                                                                                    • Instruction ID: 47bfd0c0f8263ce6d61c00ded009a165ca5b61f2fc3d609cfbcfb361f1c4a64c
                                                                                                                                    • Opcode Fuzzy Hash: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
                                                                                                                                    • Instruction Fuzzy Hash: 1711063D5087149FCA2027706CC86BF36F49B57772B2102AAF953922D1DB2D4CC1956D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004147A8, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                    • Opcode ID: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
                                                                                                                                    • Instruction ID: 1058aa724a71ea66541b56df80d5a3cdc90ec5801de880f61679d0e38116f1b7
                                                                                                                                    • Opcode Fuzzy Hash: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
                                                                                                                                    • Instruction Fuzzy Hash: 2901927AE542A1A5F63031094C86FF74198DBE3B15FB14127FA96252C5E28D49C382AF
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A56F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
                                                                                                                                      • Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA
                                                                                                                                      • Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                      • Part of subcall function 00408EE8: free.MSVCRT(?,00000000,?,0040923F,00000000,?,00000000), ref: 00408EF7
                                                                                                                                    • memset.MSVCRT ref: 0040A5DF
                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 0040A60D
                                                                                                                                    • _wcsupr.MSVCRT ref: 0040A627
                                                                                                                                      • Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
                                                                                                                                      • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                      • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                      • Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44
                                                                                                                                    • memset.MSVCRT ref: 0040A676
                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 0040A6A1
                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040A6AE
                                                                                                                                    Strings
                                                                                                                                    • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A58C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                    • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                                                                                                    • API String ID: 4131475296-680441574
                                                                                                                                    • Opcode ID: 4844c8675b145070dad572f60e49686fb6ff8cc7004fd1c20b8f23b22dadcfc4
                                                                                                                                    • Instruction ID: 4ff845341dcd1a768bfc42e85b7312ef223b671260cd3b9f040e87321517091f
                                                                                                                                    • Opcode Fuzzy Hash: 4844c8675b145070dad572f60e49686fb6ff8cc7004fd1c20b8f23b22dadcfc4
                                                                                                                                    • Instruction Fuzzy Hash: AB413BB694021DABDB00EF99DC85EEFB7BCAF58304F10417AB504F2191DB789B458BA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B301, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                    • wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B7F3: memset.MSVCRT ref: 0040B806
                                                                                                                                      • Part of subcall function 0040B7F3: _itow.MSVCRT ref: 0040B814
                                                                                                                                    • wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                    • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                    • memcpy.MSVCRT ref: 0040B419
                                                                                                                                      • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B299
                                                                                                                                      • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2B7
                                                                                                                                      • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2D5
                                                                                                                                      • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2F3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                    • String ID: strings
                                                                                                                                    • API String ID: 3166385802-3030018805
                                                                                                                                    • Opcode ID: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
                                                                                                                                    • Instruction ID: c57a50961ac065af18f7b97b0dfcf96f0970c66ac6ac5239858a4cd79fa145fe
                                                                                                                                    • Opcode Fuzzy Hash: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
                                                                                                                                    • Instruction Fuzzy Hash: 35415975200701BBDB259F14FC9593A3365E784387B20453EE802A73A3DB39EA16DB9C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BA65, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                                                    • Opcode ID: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
                                                                                                                                    • Instruction ID: cf2ea30055fd2b250d8a38ac5c403ff02bed82fd0d2b8d5d11e07c443477a94e
                                                                                                                                    • Opcode Fuzzy Hash: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
                                                                                                                                    • Instruction Fuzzy Hash: D31177325002197BEB20EB91DC8AEEF777CEF45750F404066F509E1192EB749A41CB99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041B0F4, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                    • String ID: -journal$-wal
                                                                                                                                    • API String ID: 438689982-2894717839
                                                                                                                                    • Opcode ID: 06be32a774592b0ef8d9d06a82f4e809c6ae93f37653617c392a06c5b268a917
                                                                                                                                    • Instruction ID: 74a332e22f0b607a266e47b82b9d8ba1ef45136a3b8be849caa08d0d2b66e2c9
                                                                                                                                    • Opcode Fuzzy Hash: 06be32a774592b0ef8d9d06a82f4e809c6ae93f37653617c392a06c5b268a917
                                                                                                                                    • Instruction Fuzzy Hash: DCA1C071A0464AEFDB14DF64C8417DEBBB0FF04314F14826EE46997381D738AAA4CB98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004050AF, Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 00405153
                                                                                                                                    • GetDlgItem.USER32 ref: 00405166
                                                                                                                                    • GetDlgItem.USER32 ref: 0040517B
                                                                                                                                    • GetDlgItem.USER32 ref: 00405193
                                                                                                                                    • EndDialog.USER32(?,00000002), ref: 004051AF
                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 004051C4
                                                                                                                                      • Part of subcall function 00404E6E: GetDlgItem.USER32 ref: 00404E7B
                                                                                                                                      • Part of subcall function 00404E6E: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404E90
                                                                                                                                    • SendDlgItemMessageW.USER32 ref: 004051DC
                                                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 004052ED
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Item$Dialog$MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3975816621-0
                                                                                                                                    • Opcode ID: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
                                                                                                                                    • Instruction ID: 2cde12ba5927d4bde9809f16a4ff1e8400ea1fd37873b15a8c1cc8d9e94e8744
                                                                                                                                    • Opcode Fuzzy Hash: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
                                                                                                                                    • Instruction Fuzzy Hash: 6961B030600B05ABDB31AF25CC86B6B73A5FF50324F00863EF515AA6D1D778A951CF99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00443EEF, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _wcsicmp.MSVCRT ref: 00443F6F
                                                                                                                                    • _wcsicmp.MSVCRT ref: 00443F84
                                                                                                                                    • _wcsicmp.MSVCRT ref: 00443F99
                                                                                                                                      • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
                                                                                                                                      • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
                                                                                                                                      • Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                    • API String ID: 1214746602-2708368587
                                                                                                                                    • Opcode ID: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
                                                                                                                                    • Instruction ID: 597a29036d5ddd155e475e5b18437da6987c3908216f6d337c400390a4fd9aac
                                                                                                                                    • Opcode Fuzzy Hash: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
                                                                                                                                    • Instruction Fuzzy Hash: A54135758087018AF7309EA5D94076773D8DB84B26F208D3FE56AE36C1EEBCE958411E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004052FD, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2313361498-0
                                                                                                                                    • Opcode ID: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
                                                                                                                                    • Instruction ID: 5d7335f69ca4f594208563f7014043d8df0e1bea6ea55c180c5050c90dc7a29e
                                                                                                                                    • Opcode Fuzzy Hash: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
                                                                                                                                    • Instruction Fuzzy Hash: E931A4B1500A01AFEB14AF69C98691AB7A4FF04354710453FF545E7691DB78EC90CF98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040547A, Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetClientRect.USER32 ref: 00405491
                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 004054A9
                                                                                                                                    • GetWindow.USER32(00000000), ref: 004054AC
                                                                                                                                      • Part of subcall function 00401735: GetWindowRect.USER32 ref: 00401744
                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 004054B8
                                                                                                                                    • GetDlgItem.USER32 ref: 004054CE
                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040550D
                                                                                                                                    • GetDlgItem.USER32 ref: 00405517
                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405566
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2047574939-0
                                                                                                                                    • Opcode ID: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
                                                                                                                                    • Instruction ID: ee080d675ccdbf70b04d6128f25a7e8090f7ef981af0433368dbc7d1a9e2eb74
                                                                                                                                    • Opcode Fuzzy Hash: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
                                                                                                                                    • Instruction Fuzzy Hash: AB218071690B0977EA0137229D86F6B366DEF96714F10003AFA007B2C2EEBA580245AD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00418137, Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4218492932-0
                                                                                                                                    • Opcode ID: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
                                                                                                                                    • Instruction ID: d236c1b17a1aae76216467299f6e18822a0d202c31a727bef5ceca0d2f67f94c
                                                                                                                                    • Opcode Fuzzy Hash: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
                                                                                                                                    • Instruction Fuzzy Hash: B31184B3D005186BDB00EFA4DC49EDAB7ACEB5A210F454937FA15DB141E638E6448798
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407F32, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EmptyClipboard.USER32(?,?,0040F25C,-00000210), ref: 00407F3A
                                                                                                                                    • wcslen.MSVCRT ref: 00407F47
                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040F25C,-00000210), ref: 00407F57
                                                                                                                                    • GlobalLock.KERNEL32 ref: 00407F64
                                                                                                                                    • memcpy.MSVCRT ref: 00407F6D
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00407F76
                                                                                                                                    • SetClipboardData.USER32 ref: 00407F7F
                                                                                                                                    • CloseClipboard.USER32 ref: 00407F8F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1213725291-0
                                                                                                                                    • Opcode ID: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
                                                                                                                                    • Instruction ID: 8669bfd28652b36aabcc6f95cbac9fd564b8d5c2b1f3dd921f492192fb7780cb
                                                                                                                                    • Opcode Fuzzy Hash: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
                                                                                                                                    • Instruction Fuzzy Hash: E8F0E03B600A157FD6103BF0BC4CF5B776CDBC6B96B01013AF905D6252DE68580487B9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406FCE, Relevance: 11.4, APIs: 9, Instructions: 106stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00406FF4
                                                                                                                                    • memset.MSVCRT ref: 00407008
                                                                                                                                    • strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
                                                                                                                                    • strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
                                                                                                                                    • strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
                                                                                                                                    • wcscpy.MSVCRT ref: 0040709D
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: strcpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4248099071-0
                                                                                                                                    • Opcode ID: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
                                                                                                                                    • Instruction ID: 3602a3695f0633691502e701aaeaa3678f077821d3d25540d64766a890a16dc7
                                                                                                                                    • Opcode Fuzzy Hash: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
                                                                                                                                    • Instruction Fuzzy Hash: A6412D7590021DAFDB20DF64CC80FDAB3FCBB09344F0485AAB559D2141DA34AB448F64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404F3A, Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 00404F51
                                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404F6A
                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404F77
                                                                                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404F83
                                                                                                                                    • memset.MSVCRT ref: 00404FE7
                                                                                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 0040501C
                                                                                                                                    • SetFocus.USER32(?), ref: 004050A2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                    • Opcode ID: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
                                                                                                                                    • Instruction ID: 4a7769bfe8dd657eebcefc70b29ecb6e887c437cb47c08b61b0609965a717ddb
                                                                                                                                    • Opcode Fuzzy Hash: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
                                                                                                                                    • Instruction Fuzzy Hash: 7B415975900219BBDB20DF95CC89EAFBFB9EF04754F1040AAF508A6291D3749A90CFA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D26F, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintfwcscat
                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                    • API String ID: 384018552-4153097237
                                                                                                                                    • Opcode ID: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
                                                                                                                                    • Instruction ID: 8f1261d6e50b9fc48a8d4c2a01cb2efc3c1dd918db621c17a7092c97f5fd87e6
                                                                                                                                    • Opcode Fuzzy Hash: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
                                                                                                                                    • Instruction Fuzzy Hash: 7E318D31900209EFDF04EF54CC86AAE7F75FF44320F1001AAE905AB2E2C738AA55DB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B974, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                    • String ID: 0$6
                                                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                                                    • Opcode ID: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
                                                                                                                                    • Instruction ID: 3c4375d2aaca836e1f5ba8730f1b4cbf28b1f601c5efe325adce4426e162c3cb
                                                                                                                                    • Opcode Fuzzy Hash: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
                                                                                                                                    • Instruction Fuzzy Hash: 6A218B72605340ABD710DF55D845A9BB7E8FB89B54F00063FF644A2291E77ADA00CBDE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417BE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417BF2
                                                                                                                                      • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C19
                                                                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C42
                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00417C5D
                                                                                                                                    • free.MSVCRT(?,0044C838,?), ref: 00417C8B
                                                                                                                                      • Part of subcall function 00416D4F: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74785970,?,00416E7A,?), ref: 00416D6D
                                                                                                                                      • Part of subcall function 00416D4F: malloc.MSVCRT ref: 00416D74
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                    • String ID: OsError 0x%x (%u)
                                                                                                                                    • API String ID: 2360000266-2664311388
                                                                                                                                    • Opcode ID: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
                                                                                                                                    • Instruction ID: 86e7f975cda22aef79341c94f36a987d619a37d11feed098ff88b3a8796ba2f5
                                                                                                                                    • Opcode Fuzzy Hash: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
                                                                                                                                    • Instruction Fuzzy Hash: BA11B234E01228BBDB11ABA2DD8DCDF7F78EF85750B20005BF40592211E7784A80DBE8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004086FA, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408716
                                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 00408742
                                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 00408757
                                                                                                                                    • wcscpy.MSVCRT ref: 00408767
                                                                                                                                    • wcscat.MSVCRT ref: 00408774
                                                                                                                                    • wcscat.MSVCRT ref: 00408783
                                                                                                                                    • wcscpy.MSVCRT ref: 00408795
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1331804452-0
                                                                                                                                    • Opcode ID: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
                                                                                                                                    • Instruction ID: e89223cf66055297cb9dadcb336121efaa359588445afa49c1b13fad1ad85cab
                                                                                                                                    • Opcode Fuzzy Hash: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
                                                                                                                                    • Instruction Fuzzy Hash: 3D1160B280011CBBEF11AF94DD45EEB7BBCEB41744F10407BBA04A6091D6389E448B79
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D86C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • <?xml version="1.0" ?>, xrefs: 0040D8B8
                                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040D8BF
                                                                                                                                    • <%s>, xrefs: 0040D8E2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                    • API String ID: 3473751417-2880344631
                                                                                                                                    • Opcode ID: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
                                                                                                                                    • Instruction ID: 334aba75e86a29cb8f13e765f22732fbee0fc66aecb0188c901082e5a368eb6e
                                                                                                                                    • Opcode Fuzzy Hash: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
                                                                                                                                    • Instruction Fuzzy Hash: 6C01DFB2A402197BE710A759CC41FAA776DEF44744F1440B7B60CF3141D7389E458799
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408806, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                                                    • String ID: %2.2X
                                                                                                                                    • API String ID: 2521778956-791839006
                                                                                                                                    • Opcode ID: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
                                                                                                                                    • Instruction ID: 7e3155c1ee39ddc5e1c88fc61abef366a99ea1f709d40badb718d03975286e65
                                                                                                                                    • Opcode Fuzzy Hash: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
                                                                                                                                    • Instruction Fuzzy Hash: 8F012873D4031866F734E7519C46BBA33A8AB81B18F11403FFC54B51C2EA7CDA4446D8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00443C91, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcscpy.MSVCRT ref: 00443CA6
                                                                                                                                    • wcscat.MSVCRT ref: 00443CB5
                                                                                                                                    • wcscat.MSVCRT ref: 00443CC6
                                                                                                                                    • wcscat.MSVCRT ref: 00443CD5
                                                                                                                                    • VerQueryValueW.VERSION(?,?,00000000,?), ref: 00443CEF
                                                                                                                                      • Part of subcall function 0040807E: wcslen.MSVCRT ref: 00408085
                                                                                                                                      • Part of subcall function 0040807E: memcpy.MSVCRT ref: 0040809B
                                                                                                                                      • Part of subcall function 00408148: lstrcpyW.KERNEL32 ref: 0040815D
                                                                                                                                      • Part of subcall function 00408148: lstrlenW.KERNEL32(?), ref: 00408164
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                    • String ID: \StringFileInfo\
                                                                                                                                    • API String ID: 393120378-2245444037
                                                                                                                                    • Opcode ID: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
                                                                                                                                    • Instruction ID: 4bcd922806ee50f9cb47b7d9b2cc513868d30f54de93413914084f8cb2eb3ca3
                                                                                                                                    • Opcode Fuzzy Hash: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
                                                                                                                                    • Instruction Fuzzy Hash: B801847290020DA6EF11EAA1CC45EDF777CAB44308F1005B7B654F2052EA3CDB869B58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B7A3, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                    • API String ID: 999028693-502967061
                                                                                                                                    • Opcode ID: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
                                                                                                                                    • Instruction ID: fa5e8ebf88800a0e12fd117f624f479e56397311d80730f797776366f89ad5f2
                                                                                                                                    • Opcode Fuzzy Hash: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
                                                                                                                                    • Instruction Fuzzy Hash: 9FE086717C830031FE1115511E83F162150C6E5F95FB1046BF505B16D2DB7D8864668F
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042A67D, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset
                                                                                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                    • API String ID: 2221118986-1606337402
                                                                                                                                    • Opcode ID: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
                                                                                                                                    • Instruction ID: c7fea52ce07df1abaedfaf21b9d509cbcb108d5d19e9a81960d934b60e9c5d67
                                                                                                                                    • Opcode Fuzzy Hash: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
                                                                                                                                    • Instruction Fuzzy Hash: 6A818D70A083219FDB10DF15E48161BB7E0AF94324F59885FEC859B252D378EC95CB9B
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413117, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004115CD,00000000,00000000), ref: 00413152
                                                                                                                                    • memset.MSVCRT ref: 004131B4
                                                                                                                                    • memset.MSVCRT ref: 004131C4
                                                                                                                                      • Part of subcall function 00413031: wcscpy.MSVCRT ref: 0041305A
                                                                                                                                    • memset.MSVCRT ref: 004132AF
                                                                                                                                    • wcscpy.MSVCRT ref: 004132D0
                                                                                                                                    • CloseHandle.KERNEL32(?,004115CD,?,?,?,004115CD,00000000,00000000), ref: 00413326
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3300951397-0
                                                                                                                                    • Opcode ID: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
                                                                                                                                    • Instruction ID: cefdbdf849389f09311ea621c5a87f262da3bfb792e558c61850347b92c9bf04
                                                                                                                                    • Opcode Fuzzy Hash: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
                                                                                                                                    • Instruction Fuzzy Hash: 0D514971108344AFD720DF65CC88A9BB7E8FB84306F404A2EF99982251DB74DA44CB6A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417EE5, Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00417F17
                                                                                                                                    • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00417F25
                                                                                                                                    • free.MSVCRT(00000000), ref: 00417F6B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AttributesFilefreememset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2507021081-0
                                                                                                                                    • Opcode ID: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
                                                                                                                                    • Instruction ID: b8dc40b53dc963fdbe0ae3b1e60dcad109612476599bdcfb1117a2ceff08efc0
                                                                                                                                    • Opcode Fuzzy Hash: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
                                                                                                                                    • Instruction Fuzzy Hash: 0811B73690C1159B9B109F649CC15EF7278DB49354B21013BF912A2281D63C9D82D2AD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040EF2B, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040EF4D
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                      • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                      • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                      • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                      • Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
                                                                                                                                      • Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
                                                                                                                                      • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
                                                                                                                                      • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
                                                                                                                                      • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
                                                                                                                                      • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81
                                                                                                                                      • Part of subcall function 00408907: GetSaveFileNameW.COMDLG32(?), ref: 00408956
                                                                                                                                      • Part of subcall function 00408907: wcscpy.MSVCRT ref: 0040896D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                    • API String ID: 1392923015-3614832568
                                                                                                                                    • Opcode ID: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
                                                                                                                                    • Instruction ID: 893d8713e26b77edc4206c052df4fc7d3163be0104e9675467069f1f0f0c5c5e
                                                                                                                                    • Opcode Fuzzy Hash: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
                                                                                                                                    • Instruction Fuzzy Hash: 963150B1D006199FDB10EF96D8856DD7BB4FF04318F20417BF908B7281EB786A458B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416E10, Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00416E17
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E35
                                                                                                                                    • malloc.MSVCRT ref: 00416E3F
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E56
                                                                                                                                    • free.MSVCRT(?), ref: 00416E5F
                                                                                                                                    • free.MSVCRT(?,?), ref: 00416E7D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4131324427-0
                                                                                                                                    • Opcode ID: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
                                                                                                                                    • Instruction ID: 8f18c9831eb1c79f14fd8e789aed1b74bdecd3d50ffb4352c5f07f5f59d31971
                                                                                                                                    • Opcode Fuzzy Hash: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
                                                                                                                                    • Instruction Fuzzy Hash: 4901FC7A504221BBAB215B75EC01EEF36DCDF457B07220326FC14E7290DA28DD4145EC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00414CCE, Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 21COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: NA$LMA$MMA$MMA
                                                                                                                                    • API String ID: 3510742995-965156261
                                                                                                                                    • Opcode ID: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
                                                                                                                                    • Instruction ID: 8582fd1753a63c193c8d59700b7b4d4e45a0e47666d49b47a36a18adf3e061cc
                                                                                                                                    • Opcode Fuzzy Hash: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
                                                                                                                                    • Instruction Fuzzy Hash: DBE09A30940350DAE360A744DC82F823294A742B26F11843BE508229E3C3FC98C88BAD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417AB2, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,0041767E), ref: 00417AF6
                                                                                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,0041767E), ref: 00417B1E
                                                                                                                                    • free.MSVCRT(00000000,0044C838,00000000), ref: 00417B46
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PathTemp$free
                                                                                                                                    • String ID: %s\etilqs_$etilqs_
                                                                                                                                    • API String ID: 924794160-1420421710
                                                                                                                                    • Opcode ID: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
                                                                                                                                    • Instruction ID: 98cb418060ea171a52ad1c8f6cb6bf58db0dc7ae7347cd78cc57f1029aea62d9
                                                                                                                                    • Opcode Fuzzy Hash: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
                                                                                                                                    • Instruction Fuzzy Hash: F8314B3160C2595AE730A7659C41BFB73AD9F6434CF2404AFE481C2182EF6CEEC58A5D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D5DA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040D611
                                                                                                                                      • Part of subcall function 004147A8: memcpy.MSVCRT ref: 00414825
                                                                                                                                      • Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
                                                                                                                                      • Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A
                                                                                                                                    • _snwprintf.MSVCRT ref: 0040D65B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                    • API String ID: 1775345501-2769808009
                                                                                                                                    • Opcode ID: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
                                                                                                                                    • Instruction ID: be7e472b8ae12577d0ef69e4d5a2bd87498dbd4f23eec6cc8c98af6d964d1ad5
                                                                                                                                    • Opcode Fuzzy Hash: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
                                                                                                                                    • Instruction Fuzzy Hash: 3E11C13160031ABBEB11AB65CCC6E997B25FF08708F100026F809676A2C739F961DBC9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040F2F9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040F329
                                                                                                                                      • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                    • wcsrchr.MSVCRT ref: 0040F343
                                                                                                                                    • wcscat.MSVCRT ref: 0040F35F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                    • String ID: .cfg$General
                                                                                                                                    • API String ID: 776488737-1188829934
                                                                                                                                    • Opcode ID: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
                                                                                                                                    • Instruction ID: 56bea33938f28168157b0b8bcc93b38caa6b0521648f49714e8bc2d05d89a73e
                                                                                                                                    • Opcode Fuzzy Hash: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
                                                                                                                                    • Instruction Fuzzy Hash: 831186769013289ADF20EF55CC85ACE7378FF48754F1041FBE508A7142DB789A858B99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040FBD2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040FBF3
                                                                                                                                    • RegisterClassW.USER32 ref: 0040FC18
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040FC1F
                                                                                                                                    • CreateWindowExW.USER32 ref: 0040FC3E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                    • String ID: WebBrowserPassView
                                                                                                                                    • API String ID: 2678498856-2171583229
                                                                                                                                    • Opcode ID: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
                                                                                                                                    • Instruction ID: f352fd5291e0f9f707763c8e0c0f79a6b8b327092a808c719acfd4fe52221a97
                                                                                                                                    • Opcode Fuzzy Hash: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
                                                                                                                                    • Instruction Fuzzy Hash: 6E01C4B1D02629ABDB01DF998C89ADFBEBCFF09750F108116F514E6241D7B45A408BE9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403BB9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                    • String ID: CryptUnprotectData$crypt32.dll
                                                                                                                                    • API String ID: 145871493-1827663648
                                                                                                                                    • Opcode ID: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
                                                                                                                                    • Instruction ID: 6d08c6472c4a7eef0e99d7de69836aa1542f25023555ecd08c966f49be56efdf
                                                                                                                                    • Opcode Fuzzy Hash: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
                                                                                                                                    • Instruction Fuzzy Hash: B3012C36508A419BDB318F168D4881BFEF9EFE1741B25482EE0C6E2261D7799980CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041409A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcscpy.MSVCRT ref: 004140A9
                                                                                                                                    • wcscpy.MSVCRT ref: 004140C4
                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040F398,00000000,?,0040F398,?,General,?), ref: 004140EB
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 004140F2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                    • String ID: General
                                                                                                                                    • API String ID: 999786162-26480598
                                                                                                                                    • Opcode ID: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
                                                                                                                                    • Instruction ID: 886da17c1b1bf2e9de85dc8b7e1e57be2bc6bdc909f117fec59c49a827307fb5
                                                                                                                                    • Opcode Fuzzy Hash: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
                                                                                                                                    • Instruction Fuzzy Hash: 6BF059B3408701AFF7209B919C85E9B7BDCEB98318F11842FF21991011DB384C4486A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00407DF4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
                                                                                                                                    • _snwprintf.MSVCRT ref: 00407E35
                                                                                                                                    • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                    • API String ID: 313946961-1552265934
                                                                                                                                    • Opcode ID: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
                                                                                                                                    • Instruction ID: b00963ac5392a62de3320d989648915026267cceceb2d36b0a398715d1e41bd5
                                                                                                                                    • Opcode Fuzzy Hash: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
                                                                                                                                    • Instruction Fuzzy Hash: B9F0A77694060867EF11A794CC06FDA73ACBB84791F1400BBF945E2181DAB8EA854A69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041473D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(shlwapi.dll,770B48C0,?,00404C4C,00000000), ref: 00414746
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                    • API String ID: 145871493-1506664499
                                                                                                                                    • Opcode ID: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
                                                                                                                                    • Instruction ID: 374e307410260eae357c848a0ac8b8d2ed108e4990ae0ebeecf0dac054c84ad8
                                                                                                                                    • Opcode Fuzzy Hash: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
                                                                                                                                    • Instruction Fuzzy Hash: B1D05B397005206BEA5167366C48FEF3A55EFC7B517154031F910D2261DB648C0285AD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004351F7, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                    • API String ID: 0-1953309616
                                                                                                                                    • Opcode ID: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
                                                                                                                                    • Instruction ID: aa3871157cb2c29edb2d7db9a5a62b5d9e1ddd85e1ada7e098d24c65e5f6a169
                                                                                                                                    • Opcode Fuzzy Hash: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
                                                                                                                                    • Instruction Fuzzy Hash: 60E1BF71E00209EFDB14DFA5D981AAEBBB5FF48304F10806AE805AB341DB78AD51CB95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00430EBE, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 004310A5
                                                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430F42
                                                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 00430F1A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                    • API String ID: 3510742995-272990098
                                                                                                                                    • Opcode ID: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
                                                                                                                                    • Instruction ID: b4e089481029338f932d4991b26cccaedb5970869045d73953a00dcfe725fe6b
                                                                                                                                    • Opcode Fuzzy Hash: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
                                                                                                                                    • Instruction Fuzzy Hash: 10914B75A00209DFCB24DF59C480A9EBBF1FF48304F15819AE809AB312D739E942CF99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406A86, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memsetwcslen$wcscatwcscpy
                                                                                                                                    • String ID: nss3.dll
                                                                                                                                    • API String ID: 1250441359-2492180550
                                                                                                                                    • Opcode ID: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
                                                                                                                                    • Instruction ID: 1e34d79d1f5922d0320f8d763ab64a9784b47cc615ba08cf08abcfcfe76fb249
                                                                                                                                    • Opcode Fuzzy Hash: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
                                                                                                                                    • Instruction Fuzzy Hash: D511ECF290121D96EB10EB60DD49BC673BC9B15314F1004BBE60DF21C1FB79DA548A5D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040C181, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
                                                                                                                                      • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040C19C
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040C1AF
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040C1C2
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040C1D5
                                                                                                                                    • free.MSVCRT(00000000), ref: 0040C20E
                                                                                                                                      • Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??3@$free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2241099983-0
                                                                                                                                    • Opcode ID: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
                                                                                                                                    • Instruction ID: 1b724bf31a54a7cffb96c88967fdb5b0379f9a1dee2f65518d31c165403446cb
                                                                                                                                    • Opcode Fuzzy Hash: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
                                                                                                                                    • Instruction Fuzzy Hash: 6E01E532905A31D7D6257B7AA68151FB396BEC2710316026FF845BB2C38F3C6C414ADD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416DAA, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00416DB2
                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00416DD2
                                                                                                                                    • malloc.MSVCRT ref: 00416DD8
                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00416DF6
                                                                                                                                    • free.MSVCRT(?), ref: 00416DFF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4053608372-0
                                                                                                                                    • Opcode ID: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
                                                                                                                                    • Instruction ID: 7c4f126962bd8a7e2ff3a65b0fa2dbedc4b8b396d66bab6395f0ad674673df12
                                                                                                                                    • Opcode Fuzzy Hash: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
                                                                                                                                    • Instruction Fuzzy Hash: B501C8B550411DBF7F115FA5ECC1CFF7AACEA453E8721032AF414E2190D6348E405AB8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B60E, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetParent.USER32(?), ref: 0040B620
                                                                                                                                    • GetWindowRect.USER32 ref: 0040B62D
                                                                                                                                    • GetClientRect.USER32 ref: 0040B638
                                                                                                                                    • MapWindowPoints.USER32 ref: 0040B648
                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040B664
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                    • Opcode ID: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
                                                                                                                                    • Instruction ID: 46ce5f71d2b2052eec3e6930e994fa0a792d7dbc784fe0d7727ff2cdb1cfdf95
                                                                                                                                    • Opcode Fuzzy Hash: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
                                                                                                                                    • Instruction Fuzzy Hash: 9D014836401129BBDB119BA59C49EFFBFBCFF06755F04402AFD01A2181D77895028BA9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004442F9, Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00444324
                                                                                                                                    • memset.MSVCRT ref: 00444333
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00444356
                                                                                                                                      • Part of subcall function 004440EA: memchr.MSVCRT ref: 00444125
                                                                                                                                      • Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441C9
                                                                                                                                      • Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441DB
                                                                                                                                      • Part of subcall function 004440EA: memcpy.MSVCRT ref: 00444203
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0044435D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1471605966-0
                                                                                                                                    • Opcode ID: d675db4136e80266a2e6e489a5d886d4055744e95b8a0a787b2a16d9fa1a1fa5
                                                                                                                                    • Instruction ID: 37ddc15cde46eb5ec9a675e84f83cfdfb4636f792b79cf1c8c19bfac071e4967
                                                                                                                                    • Opcode Fuzzy Hash: d675db4136e80266a2e6e489a5d886d4055744e95b8a0a787b2a16d9fa1a1fa5
                                                                                                                                    • Instruction Fuzzy Hash: 64F0C8765006106AE2203732AC89F6B2B5C9FD6761F14043FF916911D2EE2C98148179
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040C11B, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??3@
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                    • Opcode ID: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
                                                                                                                                    • Instruction ID: ce0d416df33b84177c5a77da38496f7ed087613ba8a01eb08bd82b7dd0746caf
                                                                                                                                    • Opcode Fuzzy Hash: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
                                                                                                                                    • Instruction Fuzzy Hash: D0F049B25047018FE720AFA9E9C091BF3E9AB49714761093FF049D7682DB7CAC808A0C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D913, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040D937
                                                                                                                                    • memset.MSVCRT ref: 0040D94E
                                                                                                                                      • Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
                                                                                                                                      • Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A
                                                                                                                                    • _snwprintf.MSVCRT ref: 0040D97D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                    • String ID: </%s>
                                                                                                                                    • API String ID: 3400436232-259020660
                                                                                                                                    • Opcode ID: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
                                                                                                                                    • Instruction ID: 1f907657c5db402736beb96cf917ebbb27e5637f268f278bd00e4de1d3b551c4
                                                                                                                                    • Opcode Fuzzy Hash: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
                                                                                                                                    • Instruction Fuzzy Hash: A701D6B2D4022967E720A755CC45FEA776CEF45308F0400B6BB08B3181DB78DA458AA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B720, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                    • String ID: caption
                                                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                                                    • Opcode ID: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
                                                                                                                                    • Instruction ID: 685c7242f617fb3ba1e31657fb4388fb0a14aaa92a56732ea005dddfaa5a5635
                                                                                                                                    • Opcode Fuzzy Hash: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
                                                                                                                                    • Instruction Fuzzy Hash: B1F0AF369007186AFB20AB54DC4AB9A326CEB41705F4000B6FA04B71D2DBB8ED80CADC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004088A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileNameOpenwcscpy
                                                                                                                                    • String ID: X$xK@
                                                                                                                                    • API String ID: 3246554996-3735201224
                                                                                                                                    • Opcode ID: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
                                                                                                                                    • Instruction ID: b0b1e818a48a7f3500c0daa10f1625907e8ff6cd2dadba3970951ebcab59a6c3
                                                                                                                                    • Opcode Fuzzy Hash: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
                                                                                                                                    • Instruction Fuzzy Hash: 28015FB1D0064C9FDB41DFE9D8856CEBBF4AB09314F10802AE869F6240EB7495458F55
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040103E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004082B5: memset.MSVCRT ref: 004082BF
                                                                                                                                      • Part of subcall function 004082B5: wcscpy.MSVCRT ref: 004082FF
                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 0040105D
                                                                                                                                    • SendDlgItemMessageW.USER32 ref: 0040107C
                                                                                                                                    • SendDlgItemMessageW.USER32 ref: 0040109A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                    • API String ID: 210187428-168460110
                                                                                                                                    • Opcode ID: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
                                                                                                                                    • Instruction ID: 6a7807da2d6c22504d803769321e4de0e3b0b92c14fc4c1b5eee7474059f757a
                                                                                                                                    • Opcode Fuzzy Hash: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
                                                                                                                                    • Instruction Fuzzy Hash: 9EF08275A40B0877EA31ABA0DC06F9A77B9B740B41F000939F751B91D1D7F5A185CA98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040840D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassName_wcsicmpmemset
                                                                                                                                    • String ID: edit
                                                                                                                                    • API String ID: 2747424523-2167791130
                                                                                                                                    • Opcode ID: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
                                                                                                                                    • Instruction ID: 157984a491cfffbc22861ef67f020c4accef2e0f69a1167183a5ff10ddf0174f
                                                                                                                                    • Opcode Fuzzy Hash: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
                                                                                                                                    • Instruction Fuzzy Hash: A2E04872D9031D6AFB10ABA0DC4EFAD77ACAB01748F1001B5B915E10D3EBB896454B45
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004144AB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                    • API String ID: 2574300362-880857682
                                                                                                                                    • Opcode ID: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
                                                                                                                                    • Instruction ID: 5adcb90289d93a3714d1f61360fd38a26edcd17bcdb04c713309b7dc063e595c
                                                                                                                                    • Opcode Fuzzy Hash: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
                                                                                                                                    • Instruction Fuzzy Hash: 89D0C9BCD00304BFEB014F30AC8A70636A8B760BD7F10503AE001D1662EB78C1908B9C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0041D1AF, Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memcmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3384217055-0
                                                                                                                                    • Opcode ID: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
                                                                                                                                    • Instruction ID: 09945ccab50a33f31b382fa22860e11bd1319c866f4a66b9fbc9fb0ddb64ce7b
                                                                                                                                    • Opcode Fuzzy Hash: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
                                                                                                                                    • Instruction Fuzzy Hash: 2C21A4B2E14248ABDB18DBA5DC45FDF73FCAB85704F10442AF511D7181EA38E644C724
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410212, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                    • Opcode ID: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
                                                                                                                                    • Instruction ID: ff146c4b72cd3461ea0581b3b06c61829aab73f766a4367807c7cf9141d7c205
                                                                                                                                    • Opcode Fuzzy Hash: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
                                                                                                                                    • Instruction Fuzzy Hash: 8C0128B1640B0066E2316B25CC07F5A73A4AFD2714F50061EF142666C2DFECE544815C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E5D7, Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004019F1: GetMenu.USER32(?), ref: 00401A0F
                                                                                                                                      • Part of subcall function 004019F1: GetSubMenu.USER32 ref: 00401A16
                                                                                                                                      • Part of subcall function 004019F1: EnableMenuItem.USER32 ref: 00401A2E
                                                                                                                                      • Part of subcall function 00401A38: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A4F
                                                                                                                                      • Part of subcall function 00401A38: SendMessageW.USER32(?,00000411,?,?), ref: 00401A73
                                                                                                                                    • GetMenu.USER32(?), ref: 0040E7C9
                                                                                                                                    • GetSubMenu.USER32 ref: 0040E7D6
                                                                                                                                    • GetSubMenu.USER32 ref: 0040E7D9
                                                                                                                                    • CheckMenuRadioItem.USER32 ref: 0040E7E5
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1889144086-0
                                                                                                                                    • Opcode ID: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
                                                                                                                                    • Instruction ID: 25cc4134299d990fe6d22a23efa4e99655f13f9d527333d0ba489a0a70db3f06
                                                                                                                                    • Opcode Fuzzy Hash: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
                                                                                                                                    • Instruction Fuzzy Hash: EF519071B40604BBEB20ABA6CD4AF8FBAB9EB44704F00056DB248B72E2C6756D50DB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004178F0, Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004179D3
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004179FE
                                                                                                                                    • GetLastError.KERNEL32 ref: 00417A25
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00417A3B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1661045500-0
                                                                                                                                    • Opcode ID: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
                                                                                                                                    • Instruction ID: 2596ed0fad154ed29ebf4184e1ce6d35beb67abfb73833eacff1bbd48ddff306
                                                                                                                                    • Opcode Fuzzy Hash: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
                                                                                                                                    • Instruction Fuzzy Hash: 0A516EB02087019FEB14CF25C981AABB7F5FF84344F10592EE88287A51E734F994CB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042E431, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004153D6: memset.MSVCRT ref: 004153F0
                                                                                                                                    • memcpy.MSVCRT ref: 0042E519
                                                                                                                                    Strings
                                                                                                                                    • Cannot add a column to a view, xrefs: 0042E486
                                                                                                                                    • virtual tables may not be altered, xrefs: 0042E470
                                                                                                                                    • sqlite_altertab_%s, xrefs: 0042E4EA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpymemset
                                                                                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                    • API String ID: 1297977491-2063813899
                                                                                                                                    • Opcode ID: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
                                                                                                                                    • Instruction ID: bc03cdfccc2981246e0f5b9510b3d89990825f97592217a3aee3a84e95ce5e7f
                                                                                                                                    • Opcode Fuzzy Hash: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
                                                                                                                                    • Instruction Fuzzy Hash: E741B071A10215EFDB00DFA9D881A99B7F0FF48318F54815BE858DB352E778E990CB88
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00430484, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: $, $CREATE TABLE
                                                                                                                                    • API String ID: 3510742995-3459038510
                                                                                                                                    • Opcode ID: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
                                                                                                                                    • Instruction ID: 9113deda8d77e919ddbf50a6a1bf1eccfd02e82bbda2be63f83ad5433933bd3d
                                                                                                                                    • Opcode Fuzzy Hash: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
                                                                                                                                    • Instruction Fuzzy Hash: 1C518E71D00119EFDB10DF98C491AAFB7B5EF48318F20819BD945AB205E738AA45CF99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404AC0, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00404B07
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                      • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                      • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                      • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                      • Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
                                                                                                                                      • Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
                                                                                                                                      • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
                                                                                                                                      • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
                                                                                                                                      • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
                                                                                                                                      • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81
                                                                                                                                      • Part of subcall function 004088A0: GetOpenFileNameW.COMDLG32(?), ref: 004088E9
                                                                                                                                      • Part of subcall function 004088A0: wcscpy.MSVCRT ref: 004088F7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
                                                                                                                                    • String ID: *.*$dat$wand.dat
                                                                                                                                    • API String ID: 3589925243-1828844352
                                                                                                                                    • Opcode ID: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
                                                                                                                                    • Instruction ID: 189ab15ad594b46ceda1379ae2a6b1c5413d0dce04db73f13dfcb8633a17526e
                                                                                                                                    • Opcode Fuzzy Hash: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
                                                                                                                                    • Instruction Fuzzy Hash: 0841B771600205AFEF10EF61DD86ADE77B5FF40314F10802BFA05A71D2EB79A9958B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E482, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
                                                                                                                                      • Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB
                                                                                                                                    • wcslen.MSVCRT ref: 0040E4B0
                                                                                                                                    • _wtoi.MSVCRT ref: 0040E4BC
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040E50A
                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040E51B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1549203181-0
                                                                                                                                    • Opcode ID: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
                                                                                                                                    • Instruction ID: a8ded69f91e0d7bf63f89fae3ec1b4bc8203dfd4cc2a8694f23455ab63246b5f
                                                                                                                                    • Opcode Fuzzy Hash: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
                                                                                                                                    • Instruction Fuzzy Hash: 06417131900204EFCF21DF9AC980A99B7B5EF48358F1548BAEC05EB396E738DA509B55
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406EB9, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 106COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpymemsetstrlen
                                                                                                                                    • String ID: Ap@$Ap@
                                                                                                                                    • API String ID: 160209724-724177859
                                                                                                                                    • Opcode ID: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
                                                                                                                                    • Instruction ID: e2bdeeadc1d90758f2de231e66b6cadccfeb655152d102dc9dd3295dcddd65f9
                                                                                                                                    • Opcode Fuzzy Hash: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
                                                                                                                                    • Instruction Fuzzy Hash: 10313371A042069BDB14DFA8AC80BAFB7B89F04310F1100BEE916F72C1DB78DA518769
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040F843, Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040F882
                                                                                                                                      • Part of subcall function 004087A4: ShellExecuteW.SHELL32(?,open,?,Function_0004552C,Function_0004552C,00000005), ref: 004087BA
                                                                                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040F8F2
                                                                                                                                    • GetMenuStringW.USER32 ref: 0040F90C
                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0040F938
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3550944819-0
                                                                                                                                    • Opcode ID: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
                                                                                                                                    • Instruction ID: 0cce36cd3d59050ebbb4ae1468268e07e9567f629d0a6bc52b2b72a07dc00bda
                                                                                                                                    • Opcode Fuzzy Hash: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
                                                                                                                                    • Instruction Fuzzy Hash: 7041C375500305EBDB30AF15CC88B9673B4EF50325F10857AE9686BAE2C7B8AD89CB14
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040CD44, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$free
                                                                                                                                    • String ID: Z6@
                                                                                                                                    • API String ID: 2888793982-1638572689
                                                                                                                                    • Opcode ID: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
                                                                                                                                    • Instruction ID: 1cd3d00781b25d2b94616f77ccd2c248328d95a28ed1044bfffefbc926401994
                                                                                                                                    • Opcode Fuzzy Hash: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
                                                                                                                                    • Instruction Fuzzy Hash: EB219034500605EFCB60DF29C98185ABBF6FF84314720467EE852E3790E739EE019B44
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00410174, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID: @
                                                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                                                    • Opcode ID: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
                                                                                                                                    • Instruction ID: 2b976a00fcfd181f23c33ae21356c60783d23841694cc8dee0d8ac2aa3eeffc6
                                                                                                                                    • Opcode Fuzzy Hash: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
                                                                                                                                    • Instruction Fuzzy Hash: EA112BB29003057BDB249F15D884DEA77A9EBA0344700062FFD0696251F6BDDED9C7D8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040943C, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                    • Opcode ID: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
                                                                                                                                    • Instruction ID: d0afff18851916bdc62762cc26ce26f97abfa6c0527030a4abc257fe2447681f
                                                                                                                                    • Opcode Fuzzy Hash: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
                                                                                                                                    • Instruction Fuzzy Hash: 2F114F712046019FE328DF1DC881A27F7E5EFD9304B21892EE59A97386DB39E802CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413D78, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00413DA4
                                                                                                                                      • Part of subcall function 004089E1: _snwprintf.MSVCRT ref: 00408A26
                                                                                                                                      • Part of subcall function 004089E1: memcpy.MSVCRT ref: 00408A36
                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00413DCD
                                                                                                                                    • memset.MSVCRT ref: 00413DD7
                                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00413DF9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1127616056-0
                                                                                                                                    • Opcode ID: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
                                                                                                                                    • Instruction ID: e0c1f09ad2cb5d60bcfcc92858fd4079171207d9a16d9363f081e68af551c4db
                                                                                                                                    • Opcode Fuzzy Hash: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
                                                                                                                                    • Instruction Fuzzy Hash: 4D1165B2500129BFEF11AF64DC06EDE7B79EF44711F10006AFB05B2151EA359A608F9D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004146B4, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 004146C4
                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 004146F6
                                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0041470A
                                                                                                                                    • wcscpy.MSVCRT ref: 0041471D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3917621476-0
                                                                                                                                    • Opcode ID: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
                                                                                                                                    • Instruction ID: 097f193ff7923ae7587a5e446372f032271e9f174675921af37de08819f90ac7
                                                                                                                                    • Opcode Fuzzy Hash: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
                                                                                                                                    • Instruction Fuzzy Hash: EC11FAB5900208AFDB00DFA9D988AEEB7FCFB49304F10406AE515E7240D738DB45CB64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042F6EF, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                    • String ID: sqlite_master
                                                                                                                                    • API String ID: 438689982-3163232059
                                                                                                                                    • Opcode ID: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
                                                                                                                                    • Instruction ID: df29f02e372fce164f73cef38905b10b73feda933693282389fd2907aeed520f
                                                                                                                                    • Opcode Fuzzy Hash: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
                                                                                                                                    • Instruction Fuzzy Hash: 8B01F572900618BAEB11BBA0CC42FDEB77DFF45315F50005AF60062042DB79AA148B98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040E7F0, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                      • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                      • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                    • _snwprintf.MSVCRT ref: 0040E81D
                                                                                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040E882
                                                                                                                                      • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                      • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                      • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                    • _snwprintf.MSVCRT ref: 0040E848
                                                                                                                                    • wcscat.MSVCRT ref: 0040E85B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 822687973-0
                                                                                                                                    • Opcode ID: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
                                                                                                                                    • Instruction ID: fc9a9cbfa579f1f3c21001c0e8c570231a458ca756af8d40dec707b0d2905b79
                                                                                                                                    • Opcode Fuzzy Hash: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
                                                                                                                                    • Instruction Fuzzy Hash: 540188B650070466F720F7A6DC86FAB73ACDB80704F14047AB719F21C2D679A9514A6D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416D4F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74785970,?,00416E7A,?), ref: 00416D6D
                                                                                                                                    • malloc.MSVCRT ref: 00416D74
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74785970,?,00416E7A,?), ref: 00416D93
                                                                                                                                    • free.MSVCRT(00000000,?,74785970,?,00416E7A,?), ref: 00416D9A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                    • Opcode ID: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
                                                                                                                                    • Instruction ID: bcab52b9ccbc4c9bc02d63d2584d5636d902a6cb4a382b6ea3df8204de1a5a00
                                                                                                                                    • Opcode Fuzzy Hash: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
                                                                                                                                    • Instruction Fuzzy Hash: 9DF089B260E22D7F7B102A75ACC0D7BBB9CDB862FDB21072FF514A1190D9199C015675
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004081EA, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 004081F8
                                                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00408210
                                                                                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00408226
                                                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00408249
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Item
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3888421826-0
                                                                                                                                    • Opcode ID: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
                                                                                                                                    • Instruction ID: eb915db23c4b1ca38ea3c1988d88bb83aba39799d6a265b66449fd7df9afb7a9
                                                                                                                                    • Opcode Fuzzy Hash: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
                                                                                                                                    • Instruction Fuzzy Hash: 10F06975A0050CBFDB018F948E81CAFBBB9EB49784B2000BAF504E6150D6709E01AA61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00417479, Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00417496
                                                                                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004174B6
                                                                                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004174C2
                                                                                                                                    • GetLastError.KERNEL32 ref: 004174D0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3727323765-0
                                                                                                                                    • Opcode ID: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
                                                                                                                                    • Instruction ID: 68256e963451342af1775745e88af25fe573ff9f394a0ba2c0bbd214266e5fb2
                                                                                                                                    • Opcode Fuzzy Hash: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
                                                                                                                                    • Instruction Fuzzy Hash: 7701F435504608BFDB219FA0DC84D9B7FBCFB80705F20843AF942D6050D6349984CB74
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00401C43, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 00401C64
                                                                                                                                      • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                    • wcslen.MSVCRT ref: 00401C7D
                                                                                                                                    • wcslen.MSVCRT ref: 00401C8B
                                                                                                                                      • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                      • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
                                                                                                                                    • String ID: Apple Computer\Preferences\keychain.plist
                                                                                                                                    • API String ID: 3183857889-296063946
                                                                                                                                    • Opcode ID: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
                                                                                                                                    • Instruction ID: eecd7d3c3de4f02ea7dbe6204318003872b6068ab845989257e2c34d03a92ed5
                                                                                                                                    • Opcode Fuzzy Hash: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
                                                                                                                                    • Instruction Fuzzy Hash: 08F0F9B250531866FB20A755DC8AFDA73AC9F01314F2001B7E914E20C3FB7CD944469D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040CEF9, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040CF1E
                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00445ADC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040CF37
                                                                                                                                    • strlen.MSVCRT ref: 0040CF49
                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040CF5A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                    • Opcode ID: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
                                                                                                                                    • Instruction ID: 14800c8a4aa59548f5ab429dc5ca7c2185fd5422b2c87da3b8dfa48c6c6ad4f5
                                                                                                                                    • Opcode Fuzzy Hash: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
                                                                                                                                    • Instruction Fuzzy Hash: 13F01DB780122CBFFB059B94DCC9EEB776CDB09254F0001A6B709E2052DA749E448BB8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040CE8A, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040CEAF
                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040CECC
                                                                                                                                    • strlen.MSVCRT ref: 0040CEDE
                                                                                                                                    • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040CEEF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                    • Opcode ID: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
                                                                                                                                    • Instruction ID: 5ca945b9895027beb3426ea3ebb999d168a71141a618eb4a8136c4c05ef02c5a
                                                                                                                                    • Opcode Fuzzy Hash: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
                                                                                                                                    • Instruction Fuzzy Hash: 40F062B680152C7FEB81A794DC81EEB776CEB05258F0041B2B749D2041DD349E084F7C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00413A55, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040840D: memset.MSVCRT ref: 0040842C
                                                                                                                                      • Part of subcall function 0040840D: GetClassNameW.USER32 ref: 00408443
                                                                                                                                      • Part of subcall function 0040840D: _wcsicmp.MSVCRT ref: 00408455
                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00413A7C
                                                                                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 00413A8A
                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00413A98
                                                                                                                                    • GetStockObject.GDI32(00000000), ref: 00413AA0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 764393265-0
                                                                                                                                    • Opcode ID: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
                                                                                                                                    • Instruction ID: 110bd5b637e4d79b17592fdcf208372bccb43cad252910099e33a416a39d1a4b
                                                                                                                                    • Opcode Fuzzy Hash: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
                                                                                                                                    • Instruction Fuzzy Hash: 4DF0C839100208BBCF216F60DC05ACE3F21AF05362F104136F914541F2CB759A90DB4C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408D10, Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408D2C
                                                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 00408D3C
                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00408D4B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Time$System$File$LocalSpecific
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 979780441-0
                                                                                                                                    • Opcode ID: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
                                                                                                                                    • Instruction ID: ec3377692345dfa8f7b5f00acb1c953adbf394747b85e28386a557f9ea6599fc
                                                                                                                                    • Opcode Fuzzy Hash: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
                                                                                                                                    • Instruction Fuzzy Hash: F4F05E769005199BEF119BA0DC49BBFB3FCBF1670AF008529E052E1090DB74D0048B64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004116B2, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1386444988-0
                                                                                                                                    • Opcode ID: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
                                                                                                                                    • Instruction ID: a5b74f8db5ede7a3d830d9ef30c1a68d0a9fd07d2d047c5f1f3455979569a65d
                                                                                                                                    • Opcode Fuzzy Hash: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
                                                                                                                                    • Instruction Fuzzy Hash: 6CF08231680710BBE751AF68BC06F467A90A786B93F200427F700A51E2D2F98591CB9C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404C2D, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32 ref: 00404C44
                                                                                                                                      • Part of subcall function 0041473D: LoadLibraryW.KERNEL32(shlwapi.dll,770B48C0,?,00404C4C,00000000), ref: 00414746
                                                                                                                                      • Part of subcall function 0041473D: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
                                                                                                                                      • Part of subcall function 0041473D: FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C
                                                                                                                                    • GetDlgItem.USER32 ref: 00404C56
                                                                                                                                    • GetDlgItem.USER32 ref: 00404C68
                                                                                                                                    • GetDlgItem.USER32 ref: 00404C7A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Item$Library$AddressFreeLoadProc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2406072140-0
                                                                                                                                    • Opcode ID: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
                                                                                                                                    • Instruction ID: 228af19f1fcbab99cdef25afc198749965fa335a60b9bcf03d324973c33eddf9
                                                                                                                                    • Opcode Fuzzy Hash: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
                                                                                                                                    • Instruction Fuzzy Hash: C1F01CB54047016BDA313F72CC09D5BBAADEFC1318F020D3EB1A1661E1CBBD94428A58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040CF98, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcschr.MSVCRT ref: 0040CFDA
                                                                                                                                    • wcschr.MSVCRT ref: 0040CFE8
                                                                                                                                      • Part of subcall function 00408FA6: wcslen.MSVCRT ref: 00408FC2
                                                                                                                                      • Part of subcall function 00408FA6: memcpy.MSVCRT ref: 00408FE5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                                                    • String ID: "
                                                                                                                                    • API String ID: 1983396471-123907689
                                                                                                                                    • Opcode ID: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
                                                                                                                                    • Instruction ID: cb92cf76e860540842cf0149dc84745c0fdf0d5674f0ab6313b6b46cd67416c3
                                                                                                                                    • Opcode Fuzzy Hash: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
                                                                                                                                    • Instruction Fuzzy Hash: 5331B371904104EFDF10EFA5D8419EEB7B5EF44328F20416FE854B71C2DB7C9A468A58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408BAA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpywcschr
                                                                                                                                    • String ID: ZD
                                                                                                                                    • API String ID: 2424118378-3587482827
                                                                                                                                    • Opcode ID: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
                                                                                                                                    • Instruction ID: bc5ff3c8a32915e0c271f67cda952c5327785ed0a9ceb032124e0645629a4555
                                                                                                                                    • Opcode Fuzzy Hash: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
                                                                                                                                    • Instruction Fuzzy Hash: 6B21D372815615AFEB259F18C6809BA73B4EB55354B10003FECC1E73D1EF78EC9186A8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040A19F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8
                                                                                                                                    • _memicmp.MSVCRT ref: 0040A1B9
                                                                                                                                    • memcpy.MSVCRT ref: 0040A1D0
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                                                                                    • String ID: URL
                                                                                                                                    • API String ID: 2108176848-3574463123
                                                                                                                                    • Opcode ID: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
                                                                                                                                    • Instruction ID: 99369b2f7b4a62638f95efb923bbf95607b210eae314fb40be60fbcdcdd136bc
                                                                                                                                    • Opcode Fuzzy Hash: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
                                                                                                                                    • Instruction Fuzzy Hash: 8E11E371200304BBEB11DF65CC05F5F7BA8AF91348F00407AF904AB391EA39DA20C7A6
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004089E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                                                    • String ID: %2.2X
                                                                                                                                    • API String ID: 2789212964-323797159
                                                                                                                                    • Opcode ID: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
                                                                                                                                    • Instruction ID: da81b6977c0b6fb050ee50f61be4767a81b1db5370a865e3ffb8ab5306406039
                                                                                                                                    • Opcode Fuzzy Hash: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
                                                                                                                                    • Instruction Fuzzy Hash: D311A132A00208BFEB40DFE8C986AAF73B8FB45714F10843BED55E7141D6789A558F95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004174E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,004176FC,?,00000000), ref: 00417518
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00417524
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseFileHandleUnmapView
                                                                                                                                    • String ID: NA
                                                                                                                                    • API String ID: 2381555830-2562218444
                                                                                                                                    • Opcode ID: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
                                                                                                                                    • Instruction ID: 5a1a322b0db6f4624e604a7b594929ce6c45ce98bd99ef11bc86fd7bf5bcef0d
                                                                                                                                    • Opcode Fuzzy Hash: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
                                                                                                                                    • Instruction Fuzzy Hash: 7D11BF36504B10EFC7329F28D944A9777F5FF40752B40092EE94296A61D738F981CB58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040AE5E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
                                                                                                                                      • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                      • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                      • Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 0040907D
                                                                                                                                      • Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 004090A2
                                                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC
                                                                                                                                      • Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                    • String ID: {@
                                                                                                                                    • API String ID: 2445788494-1579578673
                                                                                                                                    • Opcode ID: c255d9c27d1defa37b3e30fcff96da51efc1fad4c64b69bf173537adafc66d1e
                                                                                                                                    • Instruction ID: c5e992bc26eaba96ccce0a59eaf6c8ec24c3530ff69697df2342695e73c728e4
                                                                                                                                    • Opcode Fuzzy Hash: c255d9c27d1defa37b3e30fcff96da51efc1fad4c64b69bf173537adafc66d1e
                                                                                                                                    • Instruction Fuzzy Hash: A1113376804208AFCB01AF69DC45CDA7B78EE05364751C27BF515A7192D6349E04CBA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040D1F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _snwprintf
                                                                                                                                    • String ID: %%-%d.%ds
                                                                                                                                    • API String ID: 3988819677-2008345750
                                                                                                                                    • Opcode ID: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
                                                                                                                                    • Instruction ID: fa2a5c48b8b1081f9110b67312fe06c807ccf1e61c825d072a06322f14435401
                                                                                                                                    • Opcode Fuzzy Hash: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
                                                                                                                                    • Instruction Fuzzy Hash: 2D01B171600304AFD711EF69CC82E5ABBA9FF8C714B10442EFD46A7292C679F851CB64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408907, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileNameSavewcscpy
                                                                                                                                    • String ID: X
                                                                                                                                    • API String ID: 3080202770-3081909835
                                                                                                                                    • Opcode ID: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
                                                                                                                                    • Instruction ID: 302039dcaac94884f1c4397820c578514485f3c1708042d42c96f5da00a98a83
                                                                                                                                    • Opcode Fuzzy Hash: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
                                                                                                                                    • Instruction Fuzzy Hash: 3301D3B1E002499FDF01DFE9D9847AEBBF4AB08319F10402EE855E6280DB789949CF55
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408FFD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memicmpwcslen
                                                                                                                                    • String ID: History
                                                                                                                                    • API String ID: 1872909662-3892791767
                                                                                                                                    • Opcode ID: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
                                                                                                                                    • Instruction ID: 6d3e5e79fb5ba3dc045185e0f7d8bb4044f56437cf7f7bc11c2c4fdfd27bba80
                                                                                                                                    • Opcode Fuzzy Hash: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
                                                                                                                                    • Instruction Fuzzy Hash: D1F0A4721086019BD210EA298841A6BF7E8DB923A8F11053FF89192283DB3DDC5586A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BF8E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040BFA6
                                                                                                                                    • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040BFD5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                    • String ID: "
                                                                                                                                    • API String ID: 568519121-123907689
                                                                                                                                    • Opcode ID: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
                                                                                                                                    • Instruction ID: 52ec7358bf223f21f0f54ed804b07356b6d9a4f052c0f3137058475af9765f6b
                                                                                                                                    • Opcode Fuzzy Hash: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
                                                                                                                                    • Instruction Fuzzy Hash: 66016D75900206ABDB209F5ACC45EAFB7F8FF85745F00802AE855E7281E7349945CF79
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004018F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetWindowPlacement.USER32(?,?,?,?,?,0040F3B0,?,General,?,?,?,?,?,00000000,00000001), ref: 0040191D
                                                                                                                                    • memset.MSVCRT ref: 00401930
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PlacementWindowmemset
                                                                                                                                    • String ID: WinPos
                                                                                                                                    • API String ID: 4036792311-2823255486
                                                                                                                                    • Opcode ID: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
                                                                                                                                    • Instruction ID: ca976ba5ed3f83ef93de4c78b9b818d0dc8f3eea61e23acacabb71661926745e
                                                                                                                                    • Opcode Fuzzy Hash: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
                                                                                                                                    • Instruction Fuzzy Hash: 9AF012B0600205EFEB14DF95D899F5A77A8EF04700F54017AF90ADB2D1DBB89900CB69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BC29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040BC4D
                                                                                                                                    • LoadStringW.USER32(X1E,00000000,?,00001000), ref: 0040BC65
                                                                                                                                      • Part of subcall function 0040B93B: memset.MSVCRT ref: 0040B94E
                                                                                                                                      • Part of subcall function 0040B93B: _itow.MSVCRT ref: 0040B95C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$LoadString_itow
                                                                                                                                    • String ID: X1E
                                                                                                                                    • API String ID: 2363904170-1560614071
                                                                                                                                    • Opcode ID: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
                                                                                                                                    • Instruction ID: f380a03a7eecdd41986674abf89776040d4e37bafc66abb46cfa381fa5204df8
                                                                                                                                    • Opcode Fuzzy Hash: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
                                                                                                                                    • Instruction Fuzzy Hash: 71F082729013286AF720AB459D4AFDB776CDF05744F00007ABB08E5192DB349A40C7ED
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040B93B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.MSVCRT ref: 0040B94E
                                                                                                                                    • _itow.MSVCRT ref: 0040B95C
                                                                                                                                      • Part of subcall function 0040B8C2: memset.MSVCRT ref: 0040B8E7
                                                                                                                                      • Part of subcall function 0040B8C2: GetPrivateProfileStringW.KERNEL32 ref: 0040B90F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset$PrivateProfileString_itow
                                                                                                                                    • String ID: X1E
                                                                                                                                    • API String ID: 1482724422-1560614071
                                                                                                                                    • Opcode ID: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
                                                                                                                                    • Instruction ID: c527bd8864a1e8dc9924cbacd4c6e7ae812da0d58d0774c54ed9ac8dc2116314
                                                                                                                                    • Opcode Fuzzy Hash: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
                                                                                                                                    • Instruction Fuzzy Hash: EDE0BFB294021CB6EF11BFA1CC46F9D77ACBB14748F004025FA05A51D1E7B8E6598759
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040BE89, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                    • wcsrchr.MSVCRT ref: 0040BE92
                                                                                                                                    • wcscat.MSVCRT ref: 0040BEA8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                    • String ID: _lng.ini
                                                                                                                                    • API String ID: 383090722-1948609170
                                                                                                                                    • Opcode ID: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
                                                                                                                                    • Instruction ID: 84d8fe8025816c60ed5f34aa0efad718bb16e503e766276e22ad5a10aaf03d01
                                                                                                                                    • Opcode Fuzzy Hash: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
                                                                                                                                    • Instruction Fuzzy Hash: EDC01262586A20A4F622B622AE03B8A02888F52308F25006FFD00341C2EFAC561180EE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0042B269, Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                    • Opcode ID: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
                                                                                                                                    • Instruction ID: 5583aac8f3c8c6829f169dedbb5c7f3bc80267d871db847419cec400d03eb5c0
                                                                                                                                    • Opcode Fuzzy Hash: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
                                                                                                                                    • Instruction Fuzzy Hash: A551B375A00215EBDF14DF55D882BAEBB75FF04340F54805AED04A6252E7789E50CBE8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040C05B, Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                    • Opcode ID: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
                                                                                                                                    • Instruction ID: 98264c0c01cbe32efcdb0ac77575e239005db210b2699cda7c9871cbaaee01ad
                                                                                                                                    • Opcode Fuzzy Hash: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
                                                                                                                                    • Instruction Fuzzy Hash: 4B21B5B0A11700CFD7518F6A8485A16FAE8FF95310B26C9AFD159DB6B2D7B8C440CF14
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00408DC5, Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • wcslen.MSVCRT ref: 00408DD7
                                                                                                                                      • Part of subcall function 004080AC: malloc.MSVCRT ref: 004080C8
                                                                                                                                      • Part of subcall function 004080AC: memcpy.MSVCRT ref: 004080E0
                                                                                                                                      • Part of subcall function 004080AC: free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9
                                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                    • memcpy.MSVCRT ref: 00408E44
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 726966127-0
                                                                                                                                    • Opcode ID: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
                                                                                                                                    • Instruction ID: da9404a03362d95f45f68813529404a67aab342ff110b4c830d245a8fa10e0ef
                                                                                                                                    • Opcode Fuzzy Hash: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
                                                                                                                                    • Instruction Fuzzy Hash: 7B214F71100604EFD730DF18D98199AB3F5FF853247118A2EF8A69B6E1CB39A915CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00416CFF, Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,0041767E,?,?,0041767E,00417A93,00000000,?,00417D00,?,00000000), ref: 00416D1A
                                                                                                                                    • malloc.MSVCRT ref: 00416D22
                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D39
                                                                                                                                    • free.MSVCRT(00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D40
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                    • Opcode ID: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
                                                                                                                                    • Instruction ID: b9117e17fd0dd3e97e5004a4b09ed95055046f94a1a1b3665f6ad504cf0e37ce
                                                                                                                                    • Opcode Fuzzy Hash: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
                                                                                                                                    • Instruction Fuzzy Hash: DAF0377620521E7BE6102565AC40E77779CEB86276B21072BBD10E65D1ED59EC0046B4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%